Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

381

382

383

384

385

386

387

388

389

390

Configuring Last-Resort Access

17-36 Configuring AAA for Network Users

Configuring Last-Resort Access

Userswhoarenotauthenticatedandauthorizedby802.1XmethodsoraMACaddresscangain

limitedaccesstothenetworkasguestusers.Youcanoptionallyconfigureaspecialusername

calledlast‐resort‐wired(forwiredauthenticationaccess)orlast‐resort‐ssid,wheressidistheSSID

requestedby

theuser.TomatchonthewildcardSSIDnameany,configureuserlast‐resort‐any,

exactlyasspelledhere.

Toconfigurealast‐resortauthenticationrule,usethefollowingcommand:

set authentication last-resort {ssid ssid-name | wired}

method1 [method2] [method3] [method4]

Examples

ToenablewirelessuserswhorequestSSIDguestssidtojointhenetworkonVLANk3,typethe

followingcommands:

RBT-8100# set authentication last-resort ssid guestssid local

success: change accepted

RBT-8100# set user last-resort-guestssid attr vlan-name k3

success: change accepted

Last‐resortusersconfiguredonaRADIUSserverrequireapassword.Specifytheauthorization

password(nopasswordbydefault.)Tochangethepassword,see“ChangingtheMAC

AuthorizationPasswordforRADIUS”onpage 17‐21.Thisprocedurealsoappliesforlast‐resort

users.

Toensurethatyourcommandsareconfigured,typethe

followingcommand:

RBT-8100# show aaa

...

set authentication last-resort ssid guestssid local

...

user last-resort-guestssid

vlan-name = k3

Note: Although MSS allows you to configure a user password for a last-resort user, the password

has no effect. Last-resort users can never access a RoamAbout Switch in administrative mode and

never require a password when authorized locally. However, if the last-resort user is authorized on a

RADIUS server, the server might require a password. In this case, use the authorization password

set on the RoamAbout switch, which is nopasswordby default.

Note: The fallthru authentication type must be set to last-resort. Otherwise, last-resort access is

disabled. The default fallthru authentication type for wireless access to an SSID is web. The default

for wired authentication access is none. (To change the fallthru authentication type for an SSID, see

“Changing the Fallthru Authentication Type” on page 9-40. To change it for a wired authentication

port, see “Setting a Port for a Wired Authentication User” on page 4-3.