303
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
Assigning and Clearing Encryption Types on a RADIUS Server
To assign or delete an encryption algorithm as the Encryption-Type authorization attribute in a
user or group record on a RADIUS server, see the documentation for your RADIUS server.
Overriding or Adding Attributes Locally with a Location Policy
During the login process, the AAA authorization process is started immediately after clients
are authenticated to use the switch. During authorization, MSS assigns the user to a VLAN
and applies optional user attributes, such as a session timeout value and one or more security
ACL filters.
A
location policy
is a set of rules that enables you to locally set or change authorization
attributes for a user after the user is authorized by AAA, without making changes to the AAA
server. For example, you might want to enforce VLAN membership and security ACL policies
on a particular DWS-1008 switch based on a client’s organization or physical location, or
assign a VLAN to users who have no AAA assignment. For these situations, you can configure
the location policy on the switch.
You can use a location policy to locally set or change the Filter-Id and VLAN-Name authorization
attributes obtained from AAA.
About the Location Policy
Each switch can have one location policy. The location policy consists of a set of rules. Each
rule contains conditions, and an action to perform if all conditions in the rule match.
The action can be one of the following:
•
Deny access to the network
•
Permit access, but set or change the user’s VLAN assignment, inbound ACL,
outbound ACL, or any combination of these attributes
The conditions can be one or more of the following:
•
AAA-assigned VLAN
•
Username
•
AP access port, Distributed AP number, or wired authentication port through which
the user accessed the network
•
SSID name with which the user is associated
Conditions within a rule are ANDed. All conditions in the rule must match in order for MSS
to take the specified action. If the location policy contains multiple rules, MSS compares
the user information to the rules one at a time, in the order the rules appear in the switch’s
configuration file, beginning with the rule at the top of the list. MSS continues comparing until
a user matches all conditions in a rule or until there are no more rules.
Any authorization attributes not changed by the location policy remain active.