3com WX1200 3CRWX120695A Manuel D’Utilisation
452
C
HAPTER
21: C
ONFIGURING
AAA
FOR
N
ETWORK
U
SERS
Authentication Rule Requirements
Bonded authentication requires an 802.1X authentication rule for the
machine itself, and a separate 802.1X authentication rule for the user(s).
Use the bonded option in the user authentication rule, but not in the
machine authentication rule.
machine itself, and a separate 802.1X authentication rule for the user(s).
Use the bonded option in the user authentication rule, but not in the
machine authentication rule.
The authentication rule for the machine must be higher up in the list of
authentication rules than the authentication rule for the user.
authentication rules than the authentication rule for the user.
You must use 802.1X authentication rules. The 802.1X authentication
rule for the machine must use pass-through as the protocol. 3Com
recommends that you also use pass-through for the user authentication
rule.
rule for the machine must use pass-through as the protocol. 3Com
recommends that you also use pass-through for the user authentication
rule.
The rule for the machine and the rule for the user must use a RADIUS
server group as the method. (Generally, in a bonded authentication
configuration, the RADIUS servers will use a user database stored on an
Active Directory server.)
server group as the method. (Generally, in a bonded authentication
configuration, the RADIUS servers will use a user database stored on an
Active Directory server.)
(For a configuration example, see “Bonded Auth Configuration Example”
on page 454.)
on page 454.)
3Com recommends that you make the rules as general as possible. For
example, if the Active Directory domain is mycorp.com, the following
userglobs match on all machine names and users in the domain:
example, if the Active Directory domain is mycorp.com, the following
userglobs match on all machine names and users in the domain:
host/*.mycorp.com (userglob for the machine authentication rule)
*.mycorp.com (userglob for the user authentication rule)
If the domain name has more nodes (for example, nl.mycorp.com), use
an asterisk in each node that you want to match globally. For example, to
match on all machines and users in mycorp.com, use the following
userglobs:
an asterisk in each node that you want to match globally. For example, to
match on all machines and users in mycorp.com, use the following
userglobs:
host/*.*.mycorp.com (userglob for the machine authentication rule)
*.*.mycorp.com (userglob for the user authentication rule)
Use more specific rules to direct machines and users to different server
groups. For example, to direct users in nl.mycorp.com to a different
server group than users in de.mycorp.com, use the following userglobs:
groups. For example, to direct users in nl.mycorp.com to a different
server group than users in de.mycorp.com, use the following userglobs: