198CHAPTER 7: AAA COMMANDS

You can configure a rule either for wireless access to an SSID, or for wired access through a WX switch’s wired authentication port. If the rule is for wireless access to an SSID, specify the SSID name or specify any to match on all SSID names. If the rule is for wired access, specify wired instead of an SSID name.

If you specify multiple authentication methods in the set authentication last-resortcommand, MSS applies them in the order in which they appear in the command, with these results:

„If the first method responds with pass or fail, the evaluation is final.

„If the first method does not respond, MSS tries the second method, and so on.

However, if local appears first, followed by a RADIUS server group, MSS overrides any failed searches in the local WX database and sends an authentication request to the server group.

MSS uses a last-resort authentication rule under the following conditions:

„The client is not denied access by 802.1X or does not support 802.1X.

„The client’s MAC address does not match a MAC authentication rule.

„The fallthru method is last-resort. (For a wireless authentication rule, the fallthru method is specified by the set service-profileauth-fallthrucommand. For a wired authentication rule, the fallthru method is specified by the auth-fall-thruoption of the set port type wired-authcommand.)

For wireless access, MSS appends the requested SSID name to the user name last-resort. For example, if the requested SSID is mycorp, MSS attempts to authenticate the user last-resort-mycorp. If the RADIUS server or local database used as the authentication method has the user last-resort-mycorp, access is granted. Otherwise, access is denied.

If the SSID specified in the last-resort authentication rule is any, MSS searches for user last-resort-any. The any in the username is not a wildcard. The username must be last-resort-any, exactly as spelled here.

Examples — The following command configures a last-resort authentication rule in the local WX database for SSID mycorp:

WX4400# set authentication last-resort ssid mycorp local success: change accepted.

Page 198
Image 198
3Com 3CRWX440095A, 3CRWX120695A manual AAA Commands