Configuring AAA for Network Users 417Nortel WLAN Security Switch 2300 Series Configuration GuideEffects of Authentication Type on Encryption MethodWireless users who are authenticated on an encrypted service set identifier (SSID) can have their data traffic encryptedby the following methods:• Wi-Fi Protected Access (WPA) encryption• Non-WPA dynamic Wired Equivalent Privacy (WEP) encryption• Non-WPA static WEP encryption(For encryption details, see “Configuring User Encryption,” on page 191.)The authentication method you assign to a user determines the encryption available to the user. Users configured forEAP authentication, MAC authentication, Web, or last-resort authentication can have their traffic encrypted as follows:Wired users are not eligible for the encryption performed on the traffic of wireless users, but they can be authenticatedby an EAP method, a MAC address, a Web login page served by the WSS switch, or a last-resort username.Configuring 802.1X AuthenticationThe IEEE 802.1X standard is a framework for passing EAP protocols over a wired or wireless LAN. Within this frame-work, you can use TLS, PEAP-TTLS, or EAP-MD5. Most EAP protocols can be passed through the WSS switch to theRADIUS server. Some protocols can be processed locally on the WSS switch.The following 802.1X authentication command allows differing authentication treatments for multiple users:set authentication dot1x {ssid ssid-name | wired} user-wildcard [bonded] protocolmethod1 [method2] [method3] [method4]For example, the following command authenticates wireless user Tamara, when requesting SSID wetlands, as an802.1X user using the PEAP-MS-CHAP-V2 method through the server group shorebirds, which contains one or moreRADIUS servers:23x0# set authentication dot1x ssid wetlands Tamara peap-mschapv2 shorebirdsWhen a user attempts to connect through 802.1X, the following events occur:1 For each 802.1X login attempt, WSS Software examines each command in the configuration file in strictconfiguration order.2 The first command whose SSID and user wildcard matches the SSID and incoming username is used toprocess this authentication. The command determines exactly how this particular login attempt isprocessed by the WSS switch.(For more information about user wildcards, see “User Wildcards” on page 39.)EAPAuthenticationMACAuthenticationLast-ResortAuthentication Web-based AAAWPA encryption Static WEP Static WEP Static WEPDynamic WEPencryptionNo encryption(if SSID isunencrypted)No encryption(if SSID isunencrypted)No encryption(if SSID isunencrypted)