Specifications

Avoiding AAA Problems in Configuration Order

RoamAbout Mobility System Software Configuration Guide 17-61

Avoiding AAA Problems in Configuration Order

Using the Wildcard “Any” as the SSID Name in Authentication Rules

YoucanconfigureanauthenticationruletomatchonallSSIDstringsbyusingtheSSIDstringany

intherule.Forexample,thefollowingrulematchesonallSSIDstringsrequestedbyallusers:

set authentication web ssid any ** sg1

MSSchecksauthenticationrulesintheordertheyappearintheconfigurationfile.Asaresult,ifa

rulewithSSIDanyappearsintheconfigurationbeforearulethatmatchesonaspecificSSIDfor

thesameauthenticationtypeanduserglob,therulewithanyalwaysmatchesfirst.

Toensure

theauthenticationbehaviorthatyouexpect,placethemostspecificrulesfirstandplace

ruleswithSSIDanylast.Forexample,toensurethatuserswhorequestSSIDcorpaare

authenticatedusingRADIUSservergroupcorpasrvr,placethefollowingruleintheconfiguration 

beforetherulewithSSIDany:

set authentication web ssid corpa ** corpasrvr

Example

HereisanexampleofaAAAconfigurationwherethemost‐specificrulesfor802.1Xarefirstand

theruleswithanyarelast:

RBT-8100# show aaa

...

set authentication dot1x ssid mycorp Geetha eap-tls

set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3

set authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3