Open as PDF
434 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
Each authentication rule specifies where the user credentials are stored.
The location can be a group of RADIUS servers or the switch’s local
database. In either case, if MSS has an authentication rule that matches
on the required parameters, MSS checks the username or MAC address
of the user and, if required, the password to make sure they match the
information configured on the RADIUS servers or in the local database.
The username or MAC address can be an exact match or can match a
userglob or MAC address glob, which allow wildcards to be used for all
or part of the username or MAC address. (For more information about
globs, see “AAA Tools for Network Users” on page 441.)
MSS provides the following types of authentication:
IEEE 802.1X — If the network user’s network interface card (NIC)
supports 802.1X, MSS checks for an 802.1X authentication rule that
matches the username (and SSID, if wireless access is requested), and
that uses the Extensible Authentication Protocol (EAP) requested by
the NIC. If a matching rule is found, MSS uses the requested EAP to
check the RADIUS server group or local database for the username
and password entered by the user. If matching information is found,
MSS grants access to the user.
MAC — If the username does not match an 802.1X authentication
rule, but the MAC address of the user NIC or Voice-over-IP (VoIP)
phone and the SSID (if wireless) do match a MAC authentication rule,
MSS checks the RADIUS server group or local database for matching
user information. If the MAC address (and password, if on a RADIUS
server) matches, MSS grants access. Otherwise, MSS attempts the
fallthru authentication type, which can be Web, last-resort, or none.
(Fallthru authentication is described in more detail in “Authentication
Algorithm” on page 435.)
Web — A network user attempts to access a web page over the
network. The WX switch intercepts the HTTP or HTTPS request and
serves a login Web page to the user. The user enters the username
and password, and MSS checks the RADIUS server group or local
database for matching user information. If the username and
password match, MSS redirects the user to the web page she
requested. Otherwise, MSS denies access to the user.
Last-resort—A network user associates with an SSID or connects to a
authentication port, and does not enter a username or password.