3com WX1200 3CRWX120695A Manuel D’Utilisation
494
C
HAPTER
21: C
ONFIGURING
AAA
FOR
N
ETWORK
U
SERS
All of the authorization attributes listed in Table 40 on page 448 can be
specified in a service profile except ssid.
specified in a service profile except ssid.
Assigning a Security
ACL to a User or a
Group
Once a security access control list (ACL) is defined and committed, it can
be applied dynamically and automatically to users and user groups
through the 802.1X authentication and authorization process. When you
assign a Filter-Id attribute to a user or group, the security ACL name value
is entered as an authorization attribute into the user or group record in
the local WX database or RADIUS server.
be applied dynamically and automatically to users and user groups
through the 802.1X authentication and authorization process. When you
assign a Filter-Id attribute to a user or group, the security ACL name value
is entered as an authorization attribute into the user or group record in
the local WX database or RADIUS server.
If the Filter-Id value returned through the authentication and
authorization process does not match the name of a committed security
ACL in the WX, the user fails authorization and cannot be connected.
authorization process does not match the name of a committed security
ACL in the WX, the user fails authorization and cannot be connected.
(For details about security ACLs, see Chapter 19, “Configuring and
Managing Security ACLs,” on page 377.)
Managing Security ACLs,” on page 377.)
Assigning a Security ACL Locally
To use the local WX database to restrict a user, a MAC user, or a group of
users or MAC users to the permissions stored within a committed security
ACL, use the commands shown in Table 44.
users or MAC users to the permissions stored within a committed security
ACL, use the commands shown in Table 44.
Table 44 Commands for Assigning a Security ACL Locally
Security ACL Target Commands
User authenticated
by a password
by a password
set user username attr filter-id acl-name.in
set user username attr filter-id acl-name.out
Group of users
authenticated by a
password
authenticated by a
password
set usergroup groupname attr filter-id acl-name.in
set usergroup groupname attr filter-id acl-name.out
User authenticated
by a MAC address
by a MAC address
set mac-user username attr filter-id acl-name.in
set mac-user username attr filter-id acl-name.out
Group of users
authenticated by a
MAC address
authenticated by a
MAC address
set mac-usergroup groupname attr filter-id acl-name.in
set mac-usergroup groupname attr filter-id acl-name.out