Manualshelf

User`s manual

ManualsBrandsD-Link ManualsComputer equipmentDWL-8220AP - AirPremier Wireless Switch Dualband Access Point
311312313314315316317318319320
310
DWS-1008 User’s Manual
D-Link Systems, Inc.
Conguring AAA for Network Users
Avoiding AAA Problems in Conguration Order
Using the Wildcard “Any” as the SSID Name in Authentication Rules
You can congure an authentication rule to match on all SSID strings by using the SSID string
any in the rule. For example, the following rule matches on all SSID strings requested by all
users:
set authentication dot1x ssid any ** sg1
MSS checks authentication rules in the order they appear in the conguration le. As a result,
if a rule with SSID any appears in the conguration before a rule that matches on a specic
SSID for the same authentication type and userglob, the rule with any always matches rst.
To ensure the authentication behavior that you expect, place the most specic rules rst
and place rules with SSID any last. For example, to ensure that users who request SSID
corpa are authenticated using RADIUS server group corpasrvr, place the following rule in the
conguration before the rule with SSID any:
set authentication dot1x ssid corpa ** corpasrvr
Here is an example of a AAA conguration where the most-specic rules for 802.1X are rst
and the rules with any are last:
DWS-1008# show aaa
...
set authentication dot1x ssid mycorp Geetha eap-tls
set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3
set authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3
Using Authentication and Accounting Rules Together
When you use accounting commands with authentication commands and identify users with
user globs, MSS might not process the commands in the order you entered them. As a result,
user authentication or accounting might not proceed as you intend, or valid users might fail
authentication and be shut out of the network.
You can prevent these problems by using duplicate user globs for authentication and
accounting and entering the commands in pairs.
Conguration Producing an Incorrect Processing Order
For example, suppose you initially set up start-stop accounting as follows for all 802.1X
users via RADIUS server group 1:
DWS-1008# set accounting dot1x ssid mycorp * start-stop group1
success: change accepted.