3com WX1200 3CRWX120695A Manuel D’Utilisation
About AAA for Network Users
435
SSID—If 802.1X or MAC authentication do not apply to the SSID (no
802.1X or MAC access rules are configured for the SSID), the default
authorization attributes set on the SSID are applied to the user and
the user is allowed onto the network.
802.1X or MAC access rules are configured for the SSID), the default
authorization attributes set on the SSID are applied to the user and
the user is allowed onto the network.
Wired authentication port—If 802.1X or MAC authentication do
not apply to the port (no 802.1X or MAC access rules have the wired
option set), MSS checks for user last-resort-wired. If this user is
configured, the authorization attributes set for the user are applied to
the user who is on the wired authentication port and the user is
allowed onto the network.
not apply to the port (no 802.1X or MAC access rules have the wired
option set), MSS checks for user last-resort-wired. If this user is
configured, the authorization attributes set for the user are applied to
the user who is on the wired authentication port and the user is
allowed onto the network.
Authentication Algorithm
MSS can try more than one of the authentication types described in
“Authentication Types” to authenticate a user. MSS tries 802.1X first. If
the user NIC supports 802.1X but fails authentication, MSS denies access.
Otherwise, MSS tries MAC authentication next. If MAC authentication is
successful, MSS grants access to the user. Otherwise, MSS tries the
fallthru authentication type specified for the SSID or wired authentication
port. The fallthru authentication type can be one of the following:
“Authentication Types” to authenticate a user. MSS tries 802.1X first. If
the user NIC supports 802.1X but fails authentication, MSS denies access.
Otherwise, MSS tries MAC authentication next. If MAC authentication is
successful, MSS grants access to the user. Otherwise, MSS tries the
fallthru authentication type specified for the SSID or wired authentication
port. The fallthru authentication type can be one of the following:
Web
Last-resort
None
Web and last-resort are described in “Authentication Types”. None
means the user is automatically denied access. The fallthru authentication
type for wireless access is associated with the SSID (through a service
profile). The fallthru authentication type for wired authentication access is
specified with the wired authentication port. (For information about
service profiles, see “Service Profiles” on page 202. For information
about wired authentication port configuration, see “Setting a Port for a
Wired Authentication User” on page 75.)
means the user is automatically denied access. The fallthru authentication
type for wireless access is associated with the SSID (through a service
profile). The fallthru authentication type for wired authentication access is
specified with the wired authentication port. (For information about
service profiles, see “Service Profiles” on page 202. For information
about wired authentication port configuration, see “Setting a Port for a
Wired Authentication User” on page 75.)
The fallthru authentication type None is different from the authentication
method none you can specify for administrative access. The fallthru
authentication type None denies access to a network user. In contrast,
the authentication method none allows access to the WX switch by an
administrator. (See “Configuring AAA for Administrative and Local
Access” on page 51.)
method none you can specify for administrative access. The fallthru
authentication type None denies access to a network user. In contrast,
the authentication method none allows access to the WX switch by an
administrator. (See “Configuring AAA for Administrative and Local
Access” on page 51.)
Figure 30 shows how MSS tries the authentication types. (The
authentication process is similar for access through a wired authentication
port, except last-resort access requires a last-resort-wired user.)
authentication process is similar for access through a wired authentication
port, except last-resort access requires a last-resort-wired user.)