422Configuring AAA for Network Users

WSS Software refuses to authenticate the user and does not allow the user onto the network from the unauthenticated machine.

Note. If the 802.1X reauthentication parameter or the RADIUS Session-Timeout parameter is applicable, the user must log in before the 802.1X reauthentication timeout or the RADIUS session-timeout for the machine’s session expires. Normally, these parameters apply only to clients that use dynamic WEP, or use WEP-40 or WEP-104 encryption with WPA or RSN.

Authentication Rule Requirements

Bonded Authentication requires an 802.1X authentication rule for the machine itself, and a separate 802.1X authentica- tion rule for the user(s). Use the bonded option in the user authentication rule, but not in the machine authentication rule.

The authentication rule for the machine must be higher up in the list of authentication rules than the authentication rule for the user.

You must use 802.1X authentication rules. The 802.1X authentication rule for the machine must use pass-throughas the protocol. Nortel recommends that you also use pass-throughfor the user’s authentication rule.

The rule for the machine and the rule for the user must use a RADIUS server group as the method. (Generally, in a Bonded Authentication configuration, the RADIUS servers will use a user database stored on an Active Directory server.)

(For a configuration example, see “Bonded Authentication Configuration Example” on page 423.)

Nortel recommends that you make the rules as general as possible. For example, if the Active Directory domain is mycorp.com, the following userwildcards match on all machine names and users in the domain:

host/*.mycorp.com (userwildcard for the machine authentication rule)

*.mycorp.com (userwildcard for the user authentication rule)

If the domain name has more nodes (for example, nl.mycorp.com), use an asterisk in each node that you want to match globally. For example, to match on all machines and users in mycorp.com, use the following userwildcards:

host/*.*.mycorp.com (userwildcard for the machine authentication rule)

*.*.mycorp.com (userwildcard for the user authentication rule)

Use more specific rules to direct machines and users to different server groups. For example, to direct users in nl.mycorp.com to a different server group than users in de.mycorp.com, use the following userwildcards:

host/*.nl.mycorp.com (userwildcard for the machine authentication rule)

*.nl.mycorp.com (userwildcard for the user authentication rule)

host/*.de.mycorp.com (userwildcard for the machine authentication rule)

*.de.mycorp.com (userwildcard for the user authentication rule)

320657-A

Page 421 Page 423
Page 422
Image 422
Nortel Networks 2300 manual Authentication Rule Requirements
Page 421 Page 423
Top Page Image Contents