3Com WX2200 3CRWX220095A Switch User Manual


 
452 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
Authentication Rule Requirements
Bonded authentication requires an 802.1X authentication rule for the
machine itself, and a separate 802.1X authentication rule for the user(s).
Use the bonded option in the user authentication rule, but not in the
machine authentication rule.
The authentication rule for the machine must be higher up in the list of
authentication rules than the authentication rule for the user.
You must use 802.1X authentication rules. The 802.1X authentication
rule for the machine must use pass-through as the protocol. 3Com
recommends that you also use pass-through for the user authentication
rule.
The rule for the machine and the rule for the user must use a RADIUS
server group as the method. (Generally, in a bonded authentication
configuration, the RADIUS servers will use a user database stored on an
Active Directory server.)
(For a configuration example, see “Bonded Auth Configuration Example”
on page 454.)
3Com recommends that you make the rules as general as possible. For
example, if the Active Directory domain is mycorp.com, the following
userglobs match on all machine names and users in the domain:
host/*.mycorp.com (userglob for the machine authentication rule)
*.mycorp.com (userglob for the user authentication rule)
If the domain name has more nodes (for example, nl.mycorp.com), use
an asterisk in each node that you want to match globally. For example, to
match on all machines and users in mycorp.com, use the following
userglobs:
host/*.*.mycorp.com (userglob for the machine authentication rule)
*.*.mycorp.com (userglob for the user authentication rule)
Use more specific rules to direct machines and users to different server
groups. For example, to direct users in nl.mycorp.com to a different
server group than users in de.mycorp.com, use the following userglobs: