273
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
•
For a user to be successfully authenticated by an 802.1X or WebAAA rule, the
username and password entered by the user must be configured on the RADIUS
servers used by the authentication rule or in the switch’s local database, if the local
database is used by the rule.
•
For a user to be successfully authenticated based on the MAC address of the user’s
device, the MAC address must be configured on the RADIUS servers used by the
authentication rule or in the switch’s local database, if the local database is used
by the rule. If the MAC address is configured in the local database, no password is
required. However, since RADIUS requires a password, if the MAC address is on the
RADIUS server, MSS checks for a password. The default well-known password is
dlink
but it is configurable. (The same password applies to last-resort users.)
•
For a user to be successfully authenticated for last-resort access, the RADIUS
severs or local database (whichever method is used by the last-resort authentication
rule), must contain a user named
last-resort-wired
(for wired authentication access)
or
last-resort-
ssid
, where
ssid
is the SSID requested by the user. If the matching
last-resort user is configured in the local database, no password is required.
However, since RADIUS requires a password, if the matching last-resort user is on
the RADIUS server, MSS checks for a password. The default well-known password is
dlink
but is configurable. (The same password applies to MAC users.)
If the last-resort authentication rule matches on SSID
any
, which is a wildcard that matches
on any SSID string, the RADIUS servers or local database must have user
last-resort-any
,
exactly as spelled here.
Authorization
If the user is authenticated, MSS then checks the RADIUS server or local database (the
same place MSS looked for user information to authenticate the user) for the authorization
attributes assigned to the user. Authorization attributes specify the network resources the
user can access.
The only required attribute is the Virtual LAN (VLAN) name on which to place the user.
RADIUS and MSS have additional optional attributes. For example, you can provide further
access controls by specifying the times during which the user can access the network, you
can apply inbound and outbound access control lists (ACLs) to the user’s traffic, and so on.
To assign attributes on the RADIUS server, use the standard RADIUS attributes supported on
the server. To assign attributes in the switch’s local database, use the MSS vendor-specific
attributes (VSAs).
MSS provides the following VSAs, which you can assign to users configured in the local
database or on a RADIUS server:
•
Encryption-Type - Specifies the type of encryption required for access by the client.
Clients who attempt to use an unauthorized encryption method are rejected.
•
End-Date - Date and time after which the user is no longer allowed to be on the
network.