D-Link DWS-1008 User Manual
Using Authentication and Accounting Rules Together
When you use accounting commands with authentication commands and identify users with user globs,
MSS might not process the commands in the order you entered them. As a result, user authentication
or accounting might not proceed as you intend, or valid users might fail authentication and be shut out
of the network.
You can prevent these problems by using duplicate user globs for authentication and accounting and
entering the commands in pairs.
Configuration Producing an Incorrect Processing Order
For example, suppose you initially set up start-stop accounting as follows for all 802.1X users via
RADIUS server group 1:
DWS-1008#
set accounting dot1x ssid mycorp * start-stop group1
success: change accepted.
You then set up PEAP-MS-CHAP-V2 authentication and authorization for all users at EXAMPLE/ at
server group 1. Finally, you set up PEAP-MS-CHAP-V2 authentication and authorization for all users in
the local database, with the intention that EXAMPLE users are to be processed first:
DWS-1008#
set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1
success: change accepted.
DWS-1008#
set authentication dot1x ssid mycorp * peap-mschapv2 local
success: change accepted.
The following configuration order results. The authentication commands are reversed, and MSS
processes the authentication of all 802.1X users in the local database and ignores the command for
EXAMPLE/ users.
DWS-1008#
show aaa
...
set accounting dot1x ssid mycorp * start-stop group1
set authentication dot1x ssid mycorp * peap-mschapv2 local
set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1
Содержание DWS-1008
Страница 1: ......