312
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
A Mobility Profile is a way of specifying, on a per-user basis, those users who are allowed
access to specified DWL-8220AP access ports and wired authentication ports on a switch.
In this way, you can constrain the areas to which a user can roam. You first create a
Mobility Profile, assign it to one or more users, and finally enable the Mobility Profile feature
on the DWS-1008 switch.
Use the following command to create a Mobility Profile by giving it a name and identifying
the accessible port or ports:
set mobility-profile name
name
{
port
{
none
|
all
|
port-list
}} | {
dap
{
none
|
all
|
dap-num
}}
Specifying
none
prevents users assigned to the Mobility Profile from accessing any DWL-8220AP
access ports, Distributed APs, or wired authentication ports on the DWS-1008 switch.
Specifying
all
allows the users access to all of the ports or Distributed APs.
Specifying an individual port or Distributed AP number or a list limits access to those ports or
APs. For example, the following command creates a Mobility Profile named
roses-profile
that
allows access through ports 2 through 4, port 7, and port 9:
DWS-1008#
set mobility-profile name roses-profile port 2-4,7,9
success: change accepted.
You can then assign this Mobility Profile to one or more users. For example, to assign the
Mobility Profile
roses-profile
to all users at EXAMPLE\, type the following command:
DWS-1008#
set user EXAMPLE\* attr mobility-profile roses-profile
success: change accepted.
During 802.1X authorization for clients at EXAMPLE\, MSS must search for the Mobility Profile
named
roses-profile
. If it is not found, the authorization fails and clients with usernames like
EXAMPLE\jose and EXAMPLE\tamara are rejected.
If
roses-profile
is configured for EXAMPLE\ users on your DWS-1008 switch, MSS checks
its port list. If, for example, the current port for EXAMPLE\jose’s connection is on the list of
allowed ports specified in
roses-profile
, the connection is allowed to proceed. If the port is
not in the list (for example, EXAMPLE\jose is on port 12, which is not in the port list), the
authorization fails and client EXAMPLE\jose is rejected.
The Mobility Profile feature is disabled by default. You must enable Mobility Profile attributes
on the switch to use it. You can enable or disable the feature for the whole DWS-1008 switch
only. If the Mobility Profile feature is disabled, all Mobility Profile attributes are ignored.
To put Mobility Profile attributes into effect on an DWS-1008 switch, type the following
command:
DWS-1008#
set mobility-profile mode enable
success: change accepted.
To display the name of each Mobility Profile and its ports, type the following command: