Open as PDF
440 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
In addition to configuring authorization attributes for users on RADIUS
servers or the WX local database, you can also configure attributes within
a service profile. These authorization attributes are applied to users
accessing the SSID managed by the service profile (in addition to any
attributes supplied by a RADIUS server or the WX local database).
Accounting MSS also supports accounting. Accounting collects and sends
information used for billing, auditing, and reporting — for example, user
identities, connection start and stop times, the number of packets
received and sent, and the number of bytes transferred. You can track
sessions through accounting information stored locally or on a remote
RADIUS server. As network users roam throughout a Mobility Domain,
accounting records track them and their network usage.
Summary of AAA
Depending on your network configuration, you can configure
authentication, authorization, and accounting (AAA) for network users to
be performed locally on the WX switch or remotely on a RADIUS server.
The number of users that the local WX database can support depends on
AAA for network users controls and monitors their use of the network:
Classification for customized access. As with administrative and
console users, you can classify network users through username
globbing. Based on the structured username, different AAA
treatments can be given to different classes of user. For example,
users in the human resources department can be authenticated
differently from users in the sales department.
Authentication for full or limited access. IEEE 802.1X network
users are authenticated when they identify themselves with a
credential. Authentication can be passed through to RADIUS,
performed locally on the WX switch, or only partially “offloaded” to
the switch. Network users without 802.1X support can be
authenticated by the MAC addresses of their devices. If neither
802.1X nor MAC authentication apply to the user, they can still be
authenticated by a fallthru method, either WebAAA or last-resort
authentication. Optionally, you can disable the fallthru option by
setting the fallthru type to none.