271
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
The username or MAC address can be an exact match or can match a userglob or MAC
address glob, which allow wildcards to be used for all or part of the username or MAC
address.
Authentication Types
MSS provides the following types of authentication:
•
IEEE 802.1X - If the network user’s network interface card (NIC) supports 802.1X,
MSS checks for an 802.1X authentication rule that matches the username (and
SSID, if wireless access is requested), and that uses the Extensible Authentication
Protocol (EAP) requested by the NIC. If a matching rule is found, MSS uses
the requested EAP to check the RADIUS server group or local database for the
username and password entered by the user. If matching information is found, MSS
grants access to the user.
•
MAC - If the username does not match an 802.1X authentication rule, but the MAC
address of the user’s NIC or Voice-over-IP (VoIP) phone and the SSID (if wireless)
do match a MAC authentication rule, MSS checks the RADIUS server group or local
database for matching user information. If the MAC address (and password, if on a
RADIUS server) matches, MSS grants access. Otherwise, MSS attempts the fallthru
authentication type, which can be Web, last-resort, or none. (Fallthru authentication
is described in more detail in Authentication Algorithm.)
•
Web - A network user attempts to access a web page over the network. The switch
intercepts the HTTP or HTTPS request and serves a login Web page to the user.
The user enters the username and password, and MSS checks the RADIUS server
group or local database for matching user information. If the username and password
match, MSS redirects the user to the web page she requested. Otherwise, MSS
denies access to the user.
•
Last-resort - A network user requests access to the network, without entering a
username or password. MSS checks for a last-resort authentication rule for the
requested SSID (or for
wired
, if the user is on a wired authentication port). If a
matching rule is found, MSS checks the RADIUS server group or local database
for username
last-resort-wired
(for wired authentication access) or
last-resort-
ssid
,
where
ssid
is the SSID requested by the user. If the user information is on a RADIUS
server, MSS also checks for a password.
Authentication Algorithm
MSS can try more than one of the authentication types described in Authentication Types
to authenticate a user. MSS tries 802.1X first. If the user’s NIC supports 802.1X but fails
authentication, MSS denies access. Otherwise, MSS tries MAC authentication next. If MAC
authentication is successful, MSS grants access to the user. Otherwise, MSS tries the
fallthru
authentication type specified for the SSID or wired authentication port. The fallthru
authentication type can be one of the following:
•
Web
•
Last-resort
•
None