116 Configuring a 2370, 2360, or 2380 Switch for Basic Service320656-Arequested), and that uses the Extensible Authentication Protocol (EAP) requested by the NIC. If amatching rule is found, WSS Software uses the requested EAP to check the RADIUS server group orlocal database for the username and password entered by the user. If matching information is found, WSSSoftware grants access to the user.• MAC—If the username does not match an 802.1X authentication rule, but the MAC address of the user’sNIC or Voice-over-IP (VoIP) phone and the SSID (if wireless) do match a MAC authentication rule, WSSSoftware checks the RADIUS server group or local database for matching user information. If the MACaddress (and password, if on a RADIUS server) matches, WSS Software grants access. Otherwise, WSSSoftware attempts the fallthru authentication type, which can be Web, last-resort, or none.• Web—A network user attempts to access a web page over the network. The WSS intercepts the HTTP orHTTPS request and serves a login Web page to the user. The user enters the username and password, andWSS Software checks the RADIUS server group or local database for matching user information. If theusername and password match, WSS Software redirects the user to the web page she requested.Otherwise, WSS Software denies access to the user.• Last-resort—A network user requests access to the network, without entering a username or password.WSS Software checks for a last-resort authentication rule for the requested SSID (or for wired, if the useris on a wired authentication port). If a matching rule is found, WSS Software checks the RADIUS servergroup or local database for username last-resort-wired (for wired authentication access) orlast-resort-ssid, where ssid is the SSID requested by the user. If the user information is on a RADIUSserver, WSS Software also checks for a password.Users cannot access the network unless they are authorized. You can configure a WSS to authenticate userswith user information on a group of RADIUS servers or in a local user database on the switch. You also canconfigure a switch to offload some authentication tasks from the server group.• Pass-through—The switch establishes an Extensible Authentication Protocol (EAP) session directlybetween the client and RADIUS server. All authentication information and certificate exchanges passthrough the switch. In this case, the switch does not need a certificate.• Local—The switch performs all authentication with information in a local user database configured onthe switch. No RADIUS servers are required. In this case, the switch needs a certificate. If you plan to useEAP with Transport Layer Security (EAP-TLS), the clients also need certificates.• Offload—The switch offloads all EAP processing from a RADIUS server by establishing a TLS sessionbetween the switch and the client. In this case, the switch needs a certificate. If you plan to use theEAP-TLS authentication protocol, the clients also need certificates.This section provides examples for configuring Protected EAP with Microsoft Challenge Handshake Authen-tication Protocol version 2 (PEAP-MS-CHAP-V2) authentication for 802.1X users, in pass-through andoffload configurations. (For information about configuring other authentication types, see the Nortel WLAN2300 System Software Configuration Guide.)VLANs and UsersFor each user, an attribute must be set in the local database or on a RADIUS server to assign the user to aVLAN. This is true regardless of the authentication type you use. You can use either of the following attributesto assign a user to a VLAN:• Tunnel-Private-Group-ID—This attribute is described in RFC 2868, RADIUS Attributes for TunnelProtocol Support.