3com WX2200 3CRWX220095A User Manual
456
C
HAPTER
21: C
ONFIGURING
AAA
FOR
N
ETWORK
U
SERS
Configuring
Authentication and
Authorization by
MAC Address
Authentication and
Authorization by
MAC Address
You must sometimes authenticate users based on the MAC addresses of
their devices rather than a username-password or certificate. For
example, some Voice-over-IP (VoIP) phones and personal digital assistants
(PDAs) do not support 802.1X authentication. If a client does not support
802.1X, MSS attempts to perform MAC authentication for the client
instead. The WX switch can discover the MAC address of the device from
received frames and can use the MAC address in place of a username for
the client.
their devices rather than a username-password or certificate. For
example, some Voice-over-IP (VoIP) phones and personal digital assistants
(PDAs) do not support 802.1X authentication. If a client does not support
802.1X, MSS attempts to perform MAC authentication for the client
instead. The WX switch can discover the MAC address of the device from
received frames and can use the MAC address in place of a username for
the client.
Users authorized by MAC address require a MAC authorization password
if RADIUS authentication is desired. By default, MSS assumes that the
MAC address for a MAC user is also the password.
if RADIUS authentication is desired. By default, MSS assumes that the
MAC address for a MAC user is also the password.
CAUTION: Use this method with care. IEEE 802.11 frames can be forged
and can result in unauthorized network access if MAC authentication is
employed.
and can result in unauthorized network access if MAC authentication is
employed.
Adding and Clearing
MAC Users and User
Groups Locally
MAC users and groups can gain network access only through the WX
switch. They cannot create administrative connections to the WX switch.
A MAC user is created in a similar fashion to other local users except for
having a MAC address instead of a username. MAC user groups are
created in a similar fashion to other local user groups.
switch. They cannot create administrative connections to the WX switch.
A MAC user is created in a similar fashion to other local users except for
having a MAC address instead of a username. MAC user groups are
created in a similar fashion to other local user groups.
(To create a MAC user profile or MAC user group on a RADIUS server, see
the documentation for your RADIUS server.)
the documentation for your RADIUS server.)
Adding MAC Users and Groups
To create a MAC user group in the local WX database, you must
associate it with an authorization attribute and value. Use the following
command:
associate it with an authorization attribute and value. Use the following
command:
set mac-usergroup group-name attr attribute-name value
For example, to create a MAC user group called mac-easters with a
3000-second Session-Timeout value, type the following command:
3000-second Session-Timeout value, type the following command:
WX1200# set mac-usergroup mac-easters attr
session-timeout 3000
success: change accepted.
session-timeout 3000
success: change accepted.
To configure a MAC user in the local database and optionally add the
user to a group, use the following command:
user to a group, use the following command:
set mac-user mac-addr [group group-name]