416 Configuring AAA for Network Users320657-AWays an WSS Switch Can Use EAPNetwork users with 802.1X support cannot access the network unless they are authenticated. You can configure an WSSswitch to authenticate users with EAP on a group of RADIUS servers and/or in a local user database on the WSS, or tooffload some authentication tasks from the server group. Table 29 on page 416 details these three basic WSS authentica-tion approaches.(For information about digital certificates, see “Managing Keys and Certificates,” on page 379.)Table 29: Three Basic WSS Approaches to EAP AuthenticationApproach DescriptionPass-through An EAP session is established directly between the client and RADIUS server, passingthrough the WSS switch. User information resides on the server. All authenticationinformation and certificate exchanges pass through the switch or use client certificates issuedby a certificate authority (CA). In this case, the switch does not need a digital certificate,although the client might.Local The WSS switch performs all authentication using information in a local user databaseconfigured on the switch, or using a client-supplied certificate. No RADIUS servers arerequired. In this case, the switch needs a digital certificate. If you plan to use the EAP withTransport Layer Security (EAP-TLS) authentication protocol, the clients also needcertificates.Offload The WSS switch offloads all EAP processing from a RADIUS server by establishing a TLSsession between the switch and the client. In this case, the switch needs a digital certificate. Ifyou plan to use the EAP-TLS authentication protocol, the clients also need certificates. Whenyou use offload, RADIUS can still be used for non-EAP authentication and authorization.