3Com WX2200 3CRWX220095A Switch User Manual

Configuring 802.1X Authentication 451
Binding User
Authentication to
Bonded Auth™ (bonded authentication) is a security feature that binds
an 802.1X user authentication to authentication of the machine from
which the user is attempting to log on. When this feature is enabled, MSS
authenticates the user only if the machine the user is on has already been
By default, MSS does not bind user authentication to machine
authentication. A trusted user can log on from any machine attached to
the network.
You can use bonded authentication with Microsoft Windows clients that
support separate 802.1X authentication for the machine itself and for a
user who uses the machine to log on to the network.
Network administrators sometimes use machine authentication in a
Microsoft Active Directory domain to run login scripts, and to control
defaults, application access and updates, and so on. Bonded
authentication provides an added security measure, by ensuring that a
trusted user can log onto the network only from a trusted machine
known to Active Directory.
For example, if user bob.mycorp.com has a trusted laptop PC used for
work but also has a personal laptop PC, you might want to bind Bob’s
authentication with the authentication of his workplace laptop,
host/bob-laptop.mycorp.com. In this case, Bob can log on to the
company network only from his work laptop.
When bonded authentication is enabled, MSS retains information about
the machine session when a user logs on from that machine. MSS
authenticates the user only if there has already been a successful machine
authentication. Evidence of the machine session in MSS indicates that the
machine has successfully authenticated and is therefore trusted by MSS.
If MSS does not have session information for the machine, MSS refuses to
authenticate the user and does not allow the user onto the network from
the unauthenticated machine.
If the 802.1X reauthentication parameter or the RADIUS Session-Timeout
parameter is applicable, the user must log in before the 802.1X
reauthentication timeout or the RADIUS session-timeout for the
machine’s session expires. Normally, these parameters apply only to
clients that use dynamic WEP, or use WEP-40 or WEP-104 encryption
with WPA or RSN.