Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

341

342

343

344

345

346

347

348

349

350

About AAA for Network Users

17-2 Configuring AAA for Network Users

Authentication

Whenauserattemptstoaccessthenetwork,MSSchecksforanauthenticationrulethatmatches

thefollowingparameters:

•Forwirelessaccess,theauthenticationrulemustmatchtheSSIDtheuserisrequesting,and

theuser’susernameorMACaddress.

•Foraccessonawiredauthenticationport,theauthenticationrulemust

matchtheuser’s

usernameorMACaddress.

Ifamatchingruleisfound,MSSthenchecksRADIUSserversortheswitch’slocaluserdatabase

forcredentialsthatmatchthosepresentedbytheuser.Dependingonthetypeofauthentication

rulethatmatchestheSSIDorwiredauthenti cationport,therequiredcredentials

arethe username

orMACaddress,andinsomecases,apassword.

Eachauthenticationrulespecifieswheretheusercredentialsarestored.Thelocationcanbea

groupofRADIUSserversortheswitch’slocaldatabase.Ineithercase,ifMSShasan

authenticationrulethatmatchesontherequiredparameters,

MSScheckstheusernameorMAC

addressoftheuserand,ifrequired,thepasswordtomakesuretheymatchtheinformation

configuredontheRADIUSserversorinthelocaldatabase.

TheusernameorMACaddresscanbeanexactmatchorcanmatchausergloborMACaddress

glob,whichallowwildcardstobeusedforallorpartoftheusernameorMACaddress.(Formore

informationaboutglobs,see“AAAToolsforNetworkUsers”onpage 17‐8.)

Authentication Types

MSSprovidesthefollowingtypesofauthentication:

• IEEE802.1X—Ifthenetworkuser’snetworkinterfacecard(NIC)supports802.1X,MSSchecks

foran802.1Xauthenticationrulethatmatchestheusername(andSSID,ifwirelessaccessis

requested),andthatusestheExtensibleAuthenticationProtocol(EAP)requestedbytheNIC.

Ifamatching

ruleisfound,MSSusestherequestedEAPtochecktheRADIUSservergroupor

localdatabasefortheusernameandpasswordenteredbytheuser.Ifmatchinginformationis

found,MSSgrantsaccesstotheuser.

•MAC—Ifthe usernamedoesnotmatchan802.1Xauthentication rule,buttheMACaddress

of

theuser’sNICorVoice‐over‐IP(VoIP)phoneandtheSSID(ifwireless)domatchaMAC

authenticationrule,MSScheckstheRADIUSservergrouporlocaldatabaseformatchinguser

information.IftheMACaddress(andpassword,ifonaRADIUSserver)matches,MSSgrants

access.Otherwise,

MSSattemptsthefallthruauthenticationtype,whichcanbeWeb,last‐

resort,ornone.(Fallthruauthenticationisdescribedinmoredetailin“Authentication

Algorithm”onpage 17‐3.)

•Web—Anetworkuserattemptstoaccessawebpageoverthenetwork.TheRoamAbout

switchinterceptstheHTTPorHTTPSrequestandserves

aloginWebpagetotheuser.The

userenterstheusernameandpassword,andMSScheckstheRADIUSservergrouporlocal

databaseformatchinguserinformation.Iftheusernameandpasswordmatch,MSSredirects

theusertothewebpagesherequested.Otherwise,MSSdeniesaccesstotheuser.

• Last‐resort—Anetworkuserrequestsaccesstothenetwork,withoutenteringausernameor

password.MSSchecksforalast‐resortauthenticationrulefortherequestedSSID(orfor

wired,iftheuserisonawiredauthenticationport).Ifamatchingruleisfound,MSSchecks

theRADIUSserver

grouporlocaldatabaseforusernamelast‐resort‐wired(forwired

authenticationaccess)orlast‐resort‐ssid,wheressidistheSSIDrequestedbytheuser.Ifthe

userinformationisonaRADIUSserver,MSSalsochecksforapassword.