Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

401

402

403

404

405

406

407

408

409

410

Avoiding AAA Problems in Configuration Order

17-62 Configuring AAA for Network Users

Using Authentication and Accounting Rules Together

Whenyouuseaccountingcommandswithauthenticationcommandsandidentifyuserswithuser

globs,MSSmightnotprocessthecommandsintheorderyouenteredthem.Asaresult,user

authenticationoraccountingmightnotproceedasyouintend,orvalidusersmightfail

authenticationandbeshutoutofthe

network.

Youcanpreventtheseproblemsbyusingduplicateuserglobsforauthenticationandaccounting

andenteringthecommandsinpairs.

Configuration Producing an Incorrect Processing Order

Forexample,supposeyouinitiallysetupstart‐stopaccountingasfollowsforall802.1X usersvia

RADIUSservergroup 1:

RBT-8100# set accounting dot1x ssid mycorp * start-stop group1

success: change accepted.

YouthensetupPEAP‐MS‐CHAP‐V2authenticationandauthorizationforallusersatEXAMPLE/

atservergroup 1.Finally,yousetupPEAP‐MS‐CHAP‐V2authenticationandauthorizationforall

usersinthelocalRoamAboutSwitchdatabase,withtheintentionthatEXAMPLEusersaretobe

processedfirst:

RBT-8100# set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1

success: change accepted.

RBT-8100# set authentication dot1x ssid mycorp * peap-mschapv2 local

success: change accepted.

Thefollowingconfigurationorderresults.Theauthenticationcommandsarereversed,andMSS

processestheauthenticationofall802.1Xusersinthelocaldatabaseand ignoresthecommandfor

EXAMPLE/users.

RBT-8100# show aaa

...

set accounting dot1x ssid mycorp * start-stop group1

set authentication dot1x ssid mycorp * peap-mschapv2 local

set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1

Configuration for a Correct Processing Order

Toavoidprocessingerrorsforauthenticationandaccountingcommandsthatincludeorder‐

sensitiveuserglobs,enterthecommandsforeachuserglobinpairs.

Example

Forexample,tosetaccountingandauthoriz ationfor802.1Xusersasyouintendedin

“ConfigurationProducingan IncorrectProcessingOrder”onpage 17‐62,enteranaccountingand

authenticationcommandforeachuserglobintheorderinwhichyouwantthemprocessed:

RBT-8100# set accounting dot1x ssid mycorp EXAMPLE/* start-stop group1

success: change accepted.

RBT-8100# set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1

success: change accepted.

RBT-8100# set accounting dot1x ssid mycorp * start-stop group1