276
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
“Globs” and Groups for Network User Classification
“Globbing” lets you classify users by username or MAC address for different AAA treatments.
A user glob is a string used by AAA and IEEE 802.1X or WebAAA methods to match a user
or set of users. MAC address globs match authentication methods to a MAC address or set
of MAC addresses. User globs and MAC address globs can make use of wildcards.
A user group is a named collection of users or MAC addresses sharing a common authorization
policy. For example, you might group all users on the first floor of building 17 into the group
bldg-17-1st-floor
, or group all users in the IT group into the group
infotech-people
.
Wildcard “Any” for SSID Matching
Authentication rules for wireless access include the SSID name, and must match on the
SSID name requested by the user for MSS to attempt to authenticate the user for that SSID.
To make an authentication rule match an any SSID string, specify the SSID name as
any
in
the rule.
AAA Methods for IEEE 802.1X and Web Network Access
The following AAA methods are supported by D-Link for 802.1X and Web network access
mode:
•
Client certificates issued by a certificate authority (CA) for authentication.
•
(For this method, you assign an authentication protocol to a user.
•
The switch’s local database of usernames and user groups for authentication.
•
A named group of RADIUS servers. The switch supports up to four server groups,
which can each contain between one and four servers.
You can use the local database or RADIUS servers for MAC and last-resort access as well.
If you use RADIUS servers, make sure you configure the password for the MAC address or
last-resort user as
default
. (This is the default authorization password).
AAA Rollover Process
A DWS-1008 switch attempts AAA methods in the order in which they are entered in the
configuration:
1.
The first AAA method in the list is used unless that method results in an error. If
the method results in a pass or fail, the result is final and the switch tries no other
methods.
2.
If the switch receives no response from the first AAA method, it tries the second
method in the list.
3.
If the switch receives no response from the second AAA method, it tries the third
method. This evaluation process is applied to all methods in the list.
Summary of Contents for DWS-1008
Page 1: ......