Open as PDF
438 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
For a user to be successfully authenticated based on the MAC address
of the user device, the MAC address must be configured on the
RADIUS servers used by the authentication rule or in the WX local
database, if the local database is used by the rule. If the MAC address
is configured in the local database, no password is required. However,
since RADIUS requires a password, if the MAC address is on the
RADIUS server, MSS checks for a password. By default, MSS assumes
that the MAC address for a MAC user is also the password.
For a user to be successfully authenticated for last-resort access on a
wired authentication port, the RADIUS servers or local database must
contain a user named last-resort-wired. If the last-resort-wired user is
configured in the local database, no password is required. However,
since RADIUS requires a password, if the last-resort-wired user is on
the RADIUS server, MSS checks for a password. The default
well-known password is 3Com but is configurable. (The same
password applies to MAC users.)
Last-resort access to an SSID does not require a special user (such as
last-resort-ssid) to be configured. Instead, if the fallthru authentication
type on the SSID’s service profile is set to last-resort, and the SSID
does not have any 802.1X or MAC access rules, a user can access the
SSID without entering a username or password.
Authorization If the user is authenticated, MSS then checks the RADIUS server or local
database (the same place MSS looked for user information to
authenticate the user) for the authorization attributes assigned to the
user. Authorization attributes specify the network resources the user can
The only required attribute is the Virtual LAN (VLAN) name on which to
place the user. RADIUS and MSS have additional optional attributes. For
example, you can provide further access controls by specifying the times
during which the user can access the network, you can apply inbound
and outbound access control lists (ACLs) to the user traffic, and so on.
To assign attributes on the RADIUS server, use the standard RADIUS
attributes supported on the server. To assign attributes in the WX
switch’s local database, use the MSS vendor-specific attributes (VSAs).
The RADIUS attributes supported by MSS are described in Appendix C,
“Supported RADIUS Attributes” on page 651.