Filter
Top Products
488 Configuring AAA for network users
NN47250-500 (320657-F Version 02.01)
Nortel recommends that you make the rules as general as possible. For example, if the Active Directory
domain is mycorp.com, the following userglobs match on all machine names and users in the domain:
• host/*.mycorp.com (userglob for the machine authentication rule)
• *.mycorp.com (userglob for the user authentication rule)
If the domain name has more nodes (for example, nl.mycorp.com), use an asterisk in each node that you want
to match globally. For example, to match on all machines and users in mycorp.com, use the following
userglobs:
• host/*.*.mycorp.com (userglob for the machine authentication rule)
• *.*.mycorp.com (userglob for the user authentication rule)
Use more specific rules to direct machines and users to different server groups. For example, to direct users in
nl.mycorp.com to a different server group than users in de.mycorp.com, use the following userglobs:
• host/*.nl.mycorp.com (userglob for the machine authentication rule)
• *.nl.mycorp.com (userglob for the user authentication rule)
• host/*.de.mycorp.com (userglob for the machine authentication rule)
• *.de.mycorp.com (userglob for the user authentication rule)
Bonded Authentication period
The Bonded Authentication period is the number of seconds WSS Software allows a Bonded Authentication
user to reauthenticate.
After successful machine authentication, a session for the machine appears in the session table in WSS
Software. When the user logs on and is authenticated, the user session replaces the machine session in the
table. However, since the user’s authentication rule contains the bonded option, WSS Software remembers
that the machine was authenticated.
If a Bonded Authentication user’s session is ended due to 802.1X reauthentication or the RADIUS
Session-Timeout parameter, WSS Software can allow time for the user to reauthenticate. The amount of time
that WSS Software allows for reauthentication is controlled by the Bonded Authentication period.
If the user does not reauthenticate within the Bonded Authentication period, WSS Software deletes the infor-
mation about the machine session. After the machine session information is deleted, the Bonded
Authentication user cannot reauthenticate. When this occurs, the user will need to log off, then log back on, to
access the network. After multiple failed reauthentication attempts, the user might need to reboot the PC
before logging on.
By default, the Bonded Authentication period is 0 seconds. WSS Software does not wait for a Bonded Authen-
tication user to reauthenticate.
You can set the Bonded Authentication period to a value up to 300 seconds. Nortel recommends that you try
60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60
seconds.
To set the Bonded Authentication period, use the following command:
set dot1x bonded-period seconds