Configuring and Managing Access Rules for Network Users 287

The username or MAC address can be an exact match or can match a userglob or MAC address glob, which allow wildcards to be used for all or part of the username or MAC address. (For more information about globs, see “Using User Globs and MAC Address Globs” on page 281.)

Authentication Types

MSS provides the following types of authentication:

„IEEE 802.1X — If the network user’s network interface card (NIC) supports 802.1X, MSS checks for an 802.1X authentication rule that matches the username (and SSID, if wireless access is requested), and that uses the Extensible Authentication Protocol (EAP) requested by the NIC. If a matching rule is found, MSS uses the requested EAP to check the RADIUS server group or local database for the username and password entered by the user. If matching information is found, MSS grants access to the user.

„MAC — If the username does not match an 802.1X authentication rule, but the MAC address of the user’s NIC or Voice-over-IP (VoIP) phone and the SSID (if wireless) do match a MAC authentication rule, MSS checks the RADIUS server group or local database for matching user information. If the MAC address (and password, if on a RADIUS server) matches, MSS grants access. Otherwise, MSS attempts the fallthru authentication type, which can be Web, last-resort, or none. (Fallthru authentication is described in more detail in “Authentication Algorithm” on page 288.)

„Web — A network user attempts to access a web page over the network. The WX switch intercepts the HTTP or HTTPS request and serves a login Web page to the user. The user enters the username and password, and MSS checks the RADIUS server group or local database for matching user information. If the username and password match, MSS redirects the user to the web page she requested. Otherwise, MSS denies access to the user.

„Last-resort— A network user requests access to the network, without entering a username or password. MSS checks for a last-resort authentication rule for the requested SSID (or for wired, if the user is on a wired authentication port). If a matching rule is found, MSS checks the RADIUS server group or local database for username last-resort-wired(for wired authentication access) or last-resort-ssid, where ssid is the SSID requested by the user. If the user information is on a RADIUS server, MSS also checks for an authorization password (3Com by default).

Page 286 Page 288
Page 287
Image 287
HP Manager Software manual Authentication Types, MSS provides the following types of authentication
Page 286 Page 288
Top Page Image Contents