Nortel Networks NN47250-500 AAA tools for network users

Configuring AAA for network users 549

Nortel WLAN—Security Switch 2300 Series Configuration Guide

Depending on your network configuration, you can configure authentication, authorization, and accounting (AAA) for

network users to be performed locally on the WSS or remotely on a RADIUS server. The number of users that the local

WSS database can support depends on your platform.

AAA for network users controls and monitors their use of the network:

•Classification for customized access. As with administrative and console users, you can classify network users

through username wildcards. Based on the structured username, different AAA treatments can be given to different

classes of user. For example, users in the human resources department can be authenticated differently from users in

the sales department.

•Authentication for full or limited access. IEEE 802.1X network users are authenticated when they identify

themselves with a credential. Authentication can be passed through to RADIUS, performed locally on the WSS, or

only partially “offloaded” to the switch. Network users without 802.1X support can be authenticated by the MAC

addresses of their devices. If neither 802.1X nor MAC authentication apply to the user, they can still be

authenticated by a fallthru authentication type, either Web-based AAA or last-resort authentication. The default

fallthru type is None, which denies access to users who do not match an 802.1X or MAC authentication rule.

•Authorization for access control. Authorization provides access control by means of such mechanisms as per-user

security access control lists (ACLs), VLAN membership, Mobility Domain assignment, and timeout enforcement.

Because authorization is always performed on network access users so they can use a particular VLAN, the WSS

automatically uses the same AAA method (RADIUS server group or local database) for authorization that you

define for a user’s authentication.

•Local authorization control. You can override any AAA assignment of VLAN or security ACL for individual

network users on a particular WSS by configuring the location policy on the WSS.

•SSID default authorization attributes. You can configure service profiles with a set of default AAA authorization

attributes that are used when the normal AAA process or a location policy does not provide them.

•Accounting for tracking users and resources. Accounting collects and sends information used for billing,

auditing, and reporting—for example, user identities, connection start and stop times, the number of packets

received and sent, and the number of bytes transferred. You can track sessions through accounting information

stored locally or on a remote RADIUS server. As network users roam throughout a Mobility Domain, accounting

records track them and their network usage.

AAA tools for network users

Authentication verifies network user identity and is required before a network user is granted access to the network. A

WSS authenticates user identity by username-password matching, digital signatures and certificates, or other methods

(for example, by MAC address).

You must decide whether to authenticate network users locally on the WSS, remotely via one or more external RADIUS

server groups, or both locally and remotely. (For server group details, see “Configuring RADIUS server groups” on

page 639.)