272
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
Web and last-resort are described in Authentication Types. None means the user is automatically
denied access. The fallthru authentication type for wireless access is associated with the
SSID (through a service profile). The fallthru authentication type for wired authentication
access is specified with the wired authentication port.
Note:
The fallthru authentication type None is different from the authentication method
none
you can specify for administrative access. The fallthru authentication type None denies
access to a network user. In contrast, the authentication method
none
allows access to the
switch by an administrator.
SSID Name “Any”
In authentication rules for wireless access, you can specify the name
any
for the SSID. This
value is a wildcard that matches on any SSID string requested by the user.
For 802.1X and WebAAA rules that match on SSID
any
, MSS checks the RADIUS servers
or local database for the username (and password, if applicable) entered by the user. If the
user information matches, MSS grants access to the SSID requested by the user, regardless
of which SSID name it is.
For MAC authentication rules that match on SSID
any
, MSS checks the RADIUS servers or
local database for the MAC address (and password, if applicable) of the user’s device. If the
address matches, MSS grants access to the SSID requested by the user, regardless of which
SSID name it is.
However, in a last-resort authentication rule for wireless access, if the SSID name in the
authentication rule is
any
, MSS checks the RADIUS servers or local database for username
last-resort-any
, exactly as spelled here. If checking RADIUS, MSS also checks for a password.
Access is granted only if this username (and password, if applicable) is found. Otherwise,
access is denied.
Last-Resort Processing
When a user without a username or password requests wireless access, MSS checks the
configuration for a last-resort authentication rule that matches on the SSID. If the configuration
contains the rule, MSS checks the local database for username
last-resort-
ssid
, where
ssid
is
the SSID requested by the user. The guest user is granted access only if the database
or RADIUS server group contains
last-resort-
ssid
for the SSID requested by the user.
Otherwise, access is denied.
This processing of the last-resort username is different from 802.1X, MAC, or WebAAA,
where MSS checks for the exact username or MAC address (and password, if applicable)
of the user. MSS does not append the SSID to the username (or MAC address) for 802.1X,
Web, or MAC authentication.
User Credential Requirements
The user credentials that MSS checks for on RADIUS servers or in the local database differ
depending on the type of authentication rule that matches on the SSID or wired access
requested by the user.