Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

351

352

353

354

355

356

357

358

359

360

About AAA for Network Users

RoamAbout Mobility System Software Configuration Guide 17-7

RegardlessofwhetheryouconfiguretheuserandattributesonRADIUSserversortheswitch’s

localdatabase,theVLANattributeisrequired.Theotherattributesareoptional.

Accounting

MSSalsosupportsaccounting.Accountingcollectsandsend sinformationusedforbilling,

auditing,andreporting—forexample,useridentities,connectionstartandstoptimes,thenumber

ofpacketsreceivedandsent,andthenumberofbytestransferred.Youcantracksessionsthrough

accountinginformationstoredlocallyoronaremoteRADIUSserver.

Asnetworkusersroam

throughoutaMobilityDomain,accountingrecordstrackthemandtheirnetworkusage.

Summary of AAA Features

Dependingonyournetworkconfiguration,youcanconfigureauthentication,authorization,and

accounting(AAA)fornetworkuserstobe performedlocallyontheRoamAboutSwitchor

remotelyonaRADIUSserver.The numberofusersthatthelocalRoamAboutSwitchdatabasecan

supportdependsonyourplatform.

AAAfornetworkuserscontrols

andmonitorstheiruseofthenetwork:

• Classificationforcustomizedaccess.Aswithadministrativeandconsoleusers,youcan

classifynetworkusersthroughusernameglobbing.Basedonthestructuredusername,

differentAAAtreatmentscanbegiventodifferentclassesofuser.Forexample,usersinthe

humanresourcesdepartmentcanbe

authenticateddifferentlyfromusersinthesales

department.

• Authenticationforfullorlimitedaccess.IEEE802.1Xnetworkusersareauthenticatedwhen

theyidentifythemselveswithacredential.AuthenticationcanbepassedthroughtoRADIUS,

performedlocallyontheRoamAboutSwitch,oronlypartially“offloaded”totheswitch.

Networkuserswithout

802.1XsupportcanbeauthenticatedbytheMACaddressesoftheir

devices.Ifneither802.1XnorMACauthenticationapplytotheuser,theycanstillbe 

authenticatedbyafallthrutype,eitherWebAAAorlast‐resortauthentication.Thedefault

fallthrutypeisNone,whichdeniesaccesstouserswhodo

notmatchan802.1XorMAC

authenticationrule.

• Authorizationforaccesscontrol.Authorizationprovidesaccesscontrolbymeansofsuch

mechanismsasper‐usersecurityaccesscontrollists(ACLs),VLANmembership,Mobility

Domainassignment,andtimeoutenforcement.Becauseauthorization isalwaysperformedon

networkaccessuserssotheycanusea

particularVLAN,theRoamAboutSwitch

automaticallyusesthesameAAAmethod(RAD IUSservergrouporlocaldatabase)for

authorizationthatyoudefineforauser’sauthentication.

• Localauthorizationcontrol.YoucanoverrideanyAAAassignmentofVLANorsecurityACL

forindividualnetworkusersonaparticularRoamAboutSwitchby

configuringthelocation

policyontheRoamAboutSwitch.

• Accountingfortrackingusersandresources.Accountingcollectsandsendsinformation

usedforbilling,auditing,andreporting—forexample,useridentities,connectionstartand

stoptimes,thenumberofpacketsreceivedandsent,andthenumberofbytestransferred.You

cantracksessionsthrough

accountinginformationstoredlocallyoronaremoteRADIUS

server.AsnetworkusersroamthroughoutaMobilityDomain,accountingrecordstrackthem

andtheirnetworkusage.