User`s manual

ManualsBrandsD-Link ManualsComputer equipmentDWL-8220AP - AirPremier Wireless Switch Dualband Access Point

271

272

273

274

275

276

277

278

279

280

272

DWS-1008 User’s Manual

D-Link Systems, Inc.

Conguring AAA for Network Users

Last-resort is described in Authentication Types. None means the user is automatically

denied access. The fallthru authentication type for wireless access is associated with the

SSID (through a service prole). The fallthru authentication type for wired authentication

access is specied with the wired authentication port.

Note: The fallthru authentication type None is different from the authentication method none

you can specify for administrative access. The fallthru authentication type None denies

access to a network user. In contrast, the authentication method none allows access to the

switch by an administrator.

SSID Name “Any”

In authentication rules for wireless access, you can specify the name any for the SSID. This

value is a wildcard that matches on any SSID string requested by the user.

For 802.1X rules that match on SSID any, MSS checks the RADIUS servers or local database

for the username (and password, if applicable) entered by the user. If the user information

matches, MSS grants access to the SSID requested by the user, regardless of which SSID

name it is.

For MAC authentication rules that match on SSID any, MSS checks the RADIUS servers or

local database for the MAC address (and password, if applicable) of the user’s device. If the

address matches, MSS grants access to the SSID requested by the user, regardless of which

SSID name it is.

However, in a last-resort authentication rule for wireless access, if the SSID name in the

authentication rule is any, MSS checks the RADIUS servers or local database for username

last-resort-any, exactly as spelled here. If checking RADIUS, MSS also checks for a password.

Access is granted only if this username (and password, if applicable) is found. Otherwise,

access is denied.

Last-Resort Processing

When a user without a username or password requests wireless access, MSS checks the

conguration for a last-resort authentication rule that matches on the SSID. If the conguration

contains the rule, MSS checks the local database for username last-resort-ssid, where ssid is

the SSID requested by the user. The guest user is granted access only if the database

or RADIUS server group contains last-resort-ssid for the SSID requested by the user.

Otherwise, access is denied.

This processing of the last-resort username is different from 802.1X or MAC, where MSS

checks for the exact username or MAC address (and password, if applicable) of the user.

MSS does not append the SSID to the username (or MAC address) for 802.1X or MAC

authentication.

User Credential Requirements

The user credentials that MSS checks for on RADIUS servers or in the local database differ

depending on the type of authentication rule that matches on the SSID or wired access

requested by the user.