Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

351

352

353

354

355

356

357

358

359

360

AAA Tools for Network Users

17-8 Configuring AAA for Network Users

AAA Tools for Network Users

Authenticationverifiesnetworkuseridentityandisrequiredbeforeanetworkuserisgranted

accesstothenetwork.ARoamAboutSwitchauthenticatesuseridentitybyusername‐password

matching,digitalsignaturesandcertificates,orothermethods(forexample,byMACaddress).

Youmustdecidewhethertoauthentica tenetworkuserslocallyonthe

RoamAboutSwitch,

remotelyviaoneormoreexternalRADIUSservergroups,orbothlocallyandremotely.(For

servergroupdetails,see“ConfiguringRADIUSServerGroups”onpage 18‐6.)

“Globs” and Groups for Network User Classification

“Globbing”letsyouclassifyusersbyusernameorMACaddressfordifferentAAAtreatments.A

userglobisastringusedbyAAAandIEEE802.1XorWebAAAmethodstomatchauserorsetof

users.MACaddressglobsmatchauthenticationmethodstoaMACaddressorsetofMAC



addresses.UserglobsandMACaddressglobscanmakeuseofwildcards.Fordetails,see“User

Globs,MACAddressGlobs,andVLANGlobs”onpage 1‐4.

AusergroupisanamedcollectionofusersorMACaddressessharingacommonauthorization

policy.Forexample,youmightgroupallusers

onthefirstfloorofbuilding 17intothegroupbldg‐

17‐1st‐floor,orgroupallusersintheITgroupintothegroupinfotech‐people.

Wildcard “Any” for SSID Matching

AuthenticationrulesforwirelessaccessincludetheSSIDname,andmustmatchontheSSIDname

requestedbytheuserforMSStoattempttoauthenticatethe userforthatSSID.Tomakean

authenticationrulematchananySSIDstring,specifytheSSIDnameasanyintherule.

AAA Methods for IEEE 802.1X and Web Network Access

ThefollowingAAAmethodsaresupportedbyEnterasys Networksfor802.1XandWebnetwork

accessmode:

•Clientcertificatesissuedbyacertificateauthority(CA)forauthentication.

(Forthismethod,youassignanauthenticationprotocoltoauser.Forprotocoldetails,see

“IEEE802.1XExtensibleAuthenticationProtocolTypes”onpage 17‐11.)

•TheRoamAbout

switch’slocaldatabaseofusernamesandusergroupsforauthentication.

(Forconfigurationdetails,see“AddingandClearingLocalUsersforAdministrativeAccess ”

onpage 3‐8,“AuthenticatingviaaLocalDatabase”onpage 17‐14,and“AddingandClearing

MACUsersandUserGroupsLocally”onpage 17‐19.)

•Anamed

groupofRADIUSservers.TheRoamAboutSwitchsupportsuptofourserver

groups,whichcaneachcontainbetweenoneandfourservers.

(Forservergroupdetails,see“ConfiguringRADIUSServerGroups”onpage 18‐6.)

YoucanusethelocaldatabaseorRADIUSserversforMACandlast‐resortaccessas

well.Ifyou

useRADIUSservers,makesureyouconfigurethepasswordfortheMACaddressorlast‐resort

userasnopassword.(Thisisthedefaultauthorizationpassword.Tochangeit,see“Changingthe

MACAuthorizationPasswordforRADIUS”onpage 17‐21.)