3Com WX2200 3CRWX220095A Switch User Manual

Avoiding AAA
Problems in
This section describes some common AAA configuration issues on the
WX switch and how to avoid them.
Using the Wildcard
“Any” as the SSID
Name in
Authentication Rules
You can configure an authentication rule to match on all SSID strings by
using the SSID string any in the rule. For example, the following rule
matches on all SSID strings requested by all users:
set authentication web ssid any ** sg1
MSS checks authentication rules in the order they appear in the
configuration file. As a result, if a rule with SSID any appears in the
configuration before a rule that matches on a specific SSID for the same
authentication type and userglob, the rule with any always matches first.
To ensure the authentication behavior that you expect, place the most
specific rules first and place rules with SSID any last. For example, to
ensure that users who request SSID corpa are authenticated using
RADIUS server group corpasrvr, place the following rule in the
configuration before the rule with SSID any:
set authentication web ssid corpa ** corpasrvr
Here is an example of a AAA configuration where the most-specific rules
for 802.1X and WebAAA are first and the rules with any are last:
WX1200# display aaa
set authentication dot1x ssid mycorp Geetha eap-tls
set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3
set authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3
Using Authentication
and Accounting Rules
When you use accounting commands with authentication commands
and identify users with user globs, MSS might not process the commands
in the order you entered them. As a result, user authentication or
accounting might not proceed as you intend, or valid users might fail
authentication and be shut out of the network.
You can prevent these problems by using duplicate user globs for
authentication and accounting and entering the commands in pairs.