Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

351

352

353

354

355

356

357

358

359

360

About AAA for Network Users

17-6 Configuring AAA for Network Users

Thedefaultwell‐knownpasswordisEnterasysbutisconfigurable.(Thesamepassword

appliestoMACusers.)

Ifthelast‐resortauthenticationrulematchesonSSIDany,whichisawildcardthatmatcheson

anySSIDstring,theRADIUSserversorlocaldatabasemusthaveuserlast‐resort‐any,exactly

as

spelledhere.

Authorization

Iftheuserisauthenticated,MSSthencheckstheRADIUSserverorlocaldatabase(thesameplace

MSSlookedforuserinformationtoauthenticatetheuser)fortheauthorizationattributesassigned

totheuser.Authorizationattributesspecifythenetworkresourcestheusercanaccess.

TheonlyrequiredattributeistheVirtual

LAN(VLAN)nameonwhichtoplacetheuser.RADIUS

andMSShaveadditionaloptionalattributes.Forexample,youcanprovidefurtheraccesscontrols

byspecifyingthetimesduringwhichtheusercanaccessthenetwork,youcanapplyinbound and

outboundaccesscontrollists(ACLs)totheuser’straffic,

andsoon.

ToassignattributesontheRADIUSserver,usethestandardRADIUSattributessupportedonthe

server.ToassignattributesintheRoamAboutswit ch’slocaldatabase,usetheMSSvendor‐specif ic

attributes(VSAs).

TheRADIUSattributessupportedbyMSSaredescribedinAppendix C,SupportedRADIUS

Attributes.

MSSprovidesthe

followingVSAs,whichyoucanassigntousersconfiguredinthelocaldatabase

oronaRADIUSserver:

•Encryption‐Type—Specifies thetypeofencryptionrequiredforaccessbytheclient.Clients

whoattempttouseanunauthorizedencryptionmethodarerejected.

•End‐Date—Dateandtimeafterwhichtheuserisno

longerallowedtobeonthenetwork.

• Mobility‐Profile—Controls theRoa mAboutswitchportsausercanaccess.Forwirelessusers,

anMSSMobilityProfilespecifiestheAPsthroughwhichtheusercanaccessthenetwork.For

wiredauthenticationusers,theMobilityProfilespecifiesthewiredauthenticationports

throughwhichtheuser

canaccessthenetwork.

• SSID—SSIDtheuserisallowe d toaccessafterauthentication.

•Start‐Date—Dateand timeatwhichtheuserbecomeseligibletoaccessthenetwork.MSSdoes

notauthenticatetheuserunlesstheattempttoaccessthenetworkoccursatorafterthe

specifieddateandtime,butbefore

theend‐date(ifspecified).

•Time‐of‐Day—Day(s)andtime(s)duringwhichtheuserispermittedtologintothenetwork.

•URL—URLtowhichtheuserisredirectedaftersuccessfulWebAAA.

•VLAN‐Name—VLANtoplacetheuseron.

YoualsocanassignthefollowingRADIUSattributestousersconfiguredinthelocal

database.

•Filter‐Id—SecurityACLthatpermitsordeniestrafficreceived(input)orsent(output)the

RoamAboutSwitch.

•Service‐Type—Typeofaccesstheuserisrequesting,whichcanbenetworkaccess,

administrativeaccesstotheenabled(configuration)modeoftheMSSCLI,oradministrative

accesstothenonenabledmodeoftheCLI

•Session‐Timeout—Maximumnumberofsecondsallowedfortheuser’ssession.