44
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuration (continued)
Configuration
Configuring User Authentication
MSS provides the following types of authentication:
• IEEE 802.1X - If the network user’s network interface card (NIC) supports 802.1X,
MSS checks for an 802.1X authentication rule that matches the username (and SSID,
if wireless access is requested), and that uses the Extensible Authentication Protocol
(EAP) requested by the NIC. If a matching rule is found, MSS uses the requested
EAP to check the RADIUS server group or local database for the username and
password entered by the user. If matching information is found, MSS grants access
to the user.
• MAC - If the username does not match an 802.1X authentication rule, but the MAC
address of the user’s NIC or Voice-over-IP (VoIP) phone and the SSID (if wireless)
do match a MAC authentication rule, MSS checks the RADIUS server group or local
database for matching user information. If the MAC address (and password, if on a
RADIUS server) matches, MSS grants access. Otherwise, MSS attempts the fallthru
authentication type, which can be Web, last-resort, or none.
• Last-resort - A network user requests access to the network, without entering a
username or password. MSS checks for a last-resort authentication rule for the
requested SSID (or for wired, if the user is on a wired authentication port). If a
matching rule is found, MSS checks the RADIUS server group or local database
for username last-resort-wired (for wired authentication access) or last-resort-ssid,
where ssid is the SSID requested by the user. If the user information is on a RADIUS
server, MSS also checks for a password.
Users cannot access the network unless they are authorized. You can configure an switch
to authenticate users with user information on a group of RADIUS servers or in a local user
database on the switch. You also can configure a switch to offload some authentication tasks
from the server group.
• Pass-through—The switch establishes an Extensible Authentication Protocol (EAP)
session directly between the client and RADIUS server. All authentication information
and certificate exchanges pass through the switch. In this case, the switch does not
need a certificate.