Nortel Networks 2300 manual Authentication Types

402Configuring AAA for Network Users

Authentication

When a user attempts to access the network, WSS Software checks for an authentication rule that matches the following parameters:

•For wireless access, the authentication rule must match the SSID the user is requesting, and the user’s username or MAC address.

•For access on a wired authentication port, the authentication rule must match the user’s username or MAC address.

If a matching rule is found, WSS Software then checks RADIUS servers or the switch’s local user database for creden- tials that match those presented by the user. Depending on the type of authentication rule that matches the SSID or wired authentication port, the required credentials are the username or MAC address, and in some cases, a password.

Each authentication rule specifies where the user credentials are stored. The location can be a group of RADIUS servers or the switch’s local database. In either case, if WSS Software has an authentication rule that matches on the required parameters, WSS Software checks the username or MAC address of the user and, if required, the password to make sure they match the information configured on the RADIUS servers or in the local database.

The username or MAC address can be an exact match or can match a userwildcard or MAC address wildcard, which allow wildcards to be used for all or part of the username or MAC address. (For more information about wildcards, see “AAA Tools for Network Users” on page 410.)

Authentication Types

WSS Software provides the following types of authentication:

•IEEE 802.1X—If the network user’s network interface card (NIC) supports 802.1X, WSS Software checks for an 802.1X authentication rule that matches the username (and SSID, if wireless access is requested), and that uses the Extensible Authentication Protocol (EAP) requested by the NIC. If a matching rule is found, WSS Software uses the requested EAP to check the RADIUS server group or local database for the username and password entered by the user. If matching information is found, WSS Software grants access to the user.

•MAC—If the username does not match an 802.1X authentication rule, but the MAC address of the user’s NIC or Voice-over-IP (VoIP) phone and the SSID (if wireless) do match a MAC authentication rule, WSS Software checks the RADIUS server group or local database for matching user information. If the MAC address (and password, if on a RADIUS server) matches, WSS Software grants access. Otherwise, WSS Software attempts the fallthru authentication type, which can be Web, last-resort, or none. (Fallthru authentication is described in more detail in “Authentication Algorithm” on page 403.)

•Web—A network user attempts to access a web page over the network. The WSS switch intercepts the HTTP or HTTPS request and serves a login Web page to the user. The user enters the username and password, and WSS Software checks the RADIUS server group or local database for matching user information. If the username and password match, WSS Software redirects the user to the web page she requested. Otherwise, WSS Software denies access to the user.

•Last-resort—A network user requests access to the network, without entering a username or password. WSS Software checks for a last-resort authentication rule for the requested SSID (or for wired, if the user is on a wired authentication port). If a matching rule is found, WSS Software checks the RADIUS server group or local database for username last-resort-wired(for wired authentication access) or last-resort-ssid, where ssid is the SSID requested by the user. If the user information is on a RADIUS server, WSS Software also checks for a password.

320657-A