310
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
Avoiding AAA Problems in Configuration Order
Using the Wildcard “Any” as the SSID Name in Authentication Rules
You can configure an authentication rule to match on all SSID strings by using the SSID string
any
in the rule. For example, the following rule matches on all SSID strings requested by all
users:
set authentication web ssid any ** sg1
MSS checks authentication rules in the order they appear in the configuration file. As a result,
if a rule with SSID
any
appears in the configuration before a rule that matches on a specific
SSID for the same authentication type and userglob, the rule with
any
always matches first.
To ensure the authentication behavior that you expect, place the most specific rules first
and place rules with SSID
any
last. For example, to ensure that users who request SSID
corpa
are authenticated using RADIUS server group
corpasrvr
, place the following rule in the
configuration before the rule with SSID
any
:
set authentication web ssid corpa ** corpasrvr
Here is an example of a AAA configuration where the most-specific rules for 802.1X are first
and the rules with
any
are last:
DWS-1008#
show aaa
...
set authentication dot1x ssid mycorp Geetha eap-tls
set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3
set authentication dot1x ssid any ** peap-mschapv2 sg1 sg2 sg3
Using Authentication and Accounting Rules Together
When you use accounting commands with authentication commands and identify users with
user globs, MSS might not process the commands in the order you entered them. As a result,
user authentication or accounting might not proceed as you intend, or valid users might fail
authentication and be shut out of the network.
You can prevent these problems by using duplicate user globs for authentication and
accounting and entering the commands in pairs.
Configuration Producing an Incorrect Processing Order
For example, suppose you initially set up start-stop accounting as follows for all 802.1X
users via RADIUS server group 1:
DWS-1008#
set accounting dot1x ssid mycorp * start-stop group1
success: change accepted.