Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

351

352

353

354

355

356

357

358

359

360

About AAA for Network Users

RoamAbout Mobility System Software Configuration Guide 17-5

SSID Name “Any”

Inauthenticationrulesforwirelessaccess,youcanspecifythenameanyforthe SSID.Thisvalueis

awildcardthatmatchesonanySSIDstringrequestedbytheuser.

For802.1XandWebAAArulesthatmatchonSSIDany,MSScheckstheRADIUSserversorlocal

databaseforthe

username(andpassword,ifapplicable)enteredbytheuser.Iftheuser

informationmatches,MSSgrantsaccesstotheSSIDrequestedbytheuser,regardlessofwhich

SSIDnameitis.

ForMACauthentica tionrulesthatmatchonSSIDany,MSScheckstheRADIUSserversorlocal

databaseforthe

MACaddress(andpassword,ifapplicable)oftheuser’sdevice.Iftheaddress

matches,MSSgrantsaccesstotheSSIDrequestedbytheuser,regardlessofwhichSSIDnameitis.

However,inalast‐resortauthenticationruleforwirelessaccess,iftheSSIDnameinthe

authenticationruleisany

,MSScheckstheRADIUSserversorlocaldatabaseforusernamelast‐

resort‐any,exactlyasspelledhere.IfcheckingRADIUS,MSSalsochecksforapassword.Accessis

grantedonlyifthisusername(andpassword,ifapplicable)isfound.Otherwise,accessisdenied.

Last-Resort Processing

Whenauserwithoutausernameorpasswordrequestswirelessaccess,MSSchecksthe

configurationforalast‐resortauthenticationrulethatmatchesontheSSID.Iftheconfiguration

containstherule,MSSchecksthelocaldatabaseforusernamelast‐resort‐ssid,wheressidisthe

SSIDrequestedbythe

user.TheguestuserisgrantedaccessonlyifthedatabaseorRADIUSserver

groupcontainslast‐resort‐ssidfortheSSIDrequestedbytheuser.Otherwise,accessisdenied.

Thisprocessingofthelast‐resortusernameisdifferentfrom802.1X,MAC,orWebAAA,where

MSSchecksfortheexactusername

orMACaddress(andpassword,ifapplicable)oftheuser.MSS

doesnotappendtheSSIDtotheusername(orMACaddress)for802.1X,Web,orMAC

authentication.

User Credential Requirements

TheusercredentialsthatMSSchecksforonRADIUSserversorinthelocaldatabasediffer

dependingonthetypeofauthenticationrulethatmatchesontheSSIDorwiredaccessrequested

bytheuser.

•Forausertobesuccessfullyauthenticatedbyan802.1XorWebAAArule,theusernameand

passwordenteredbytheusermustbeconfiguredontheRADIUSserversusedbythe

authenticationruleorintheswitch’slocaldatabase,ifthelocaldatabaseisusedbytherule.

•ForausertobesuccessfullyauthenticatedbasedontheMACaddres softheuser’sdevice,the

MACaddress

mustbeconfiguredontheRADIUSserversusedbytheauthenticationruleor

intheswitch’slocaldatabase,ifthelocaldatabaseisusedbytherule.IftheMACaddressis

configuredinthelocaldatabase,nopasswordisrequired.However,sinceRADIUSrequiresa

password,iftheMACaddress

isontheRADIUSserver,MSSchecksforapassword.The

defaultwell‐knownpasswordisEnterasysbutisconfigurable.(Thesamepasswordappliesto

last‐resortusers.)

•Forausertobesuccessfullyauthenticatedforlast‐resortaccess,theRADIUSseversorlocal

database(whichevermethodisusedbythe

last‐resortauthenticationrule),mustcontaina

usernamedlast‐resort‐wired(forwiredauthenticationaccess)orlast‐resort‐ssid,wheressidis

theSSIDrequestedbytheuser.Ifthematchinglast‐resortuserisconfiguredinthelocal

database,nopasswordisrequired.However,sinceRADIUSrequiresa

password,ifthe

matchinglast‐resortuserisontheRADIUSserver,MSSchecksforapassword.