Nortel 2350 用户指南
Configuring AAA for network users 549
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Web Portal:
enabled
enabled
set authentication admin Jose sg3
set authentication console * none
set authentication mac ssid mycorp * local
set authentication dot1x ssid mycorp Geetha eap-tls
set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3
set accounting dot1x Nin ssid mycorp stop-only sg2
set accounting admin Natasha start-stop local
set authentication console * none
set authentication mac ssid mycorp * local
set authentication dot1x ssid mycorp Geetha eap-tls
set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3
set accounting dot1x Nin ssid mycorp stop-only sg2
set accounting admin Natasha start-stop local
user Nin
Password = 082c6c64060b (encrypted)
Filter-Id = acl-999.in
Filter-Id = acl-999.out
Filter-Id = acl-999.in
Filter-Id = acl-999.out
mac-user 01:02:03:04:05:06
usergroup eastcoasters
session-timeout = 99
For information about the fields in the output, see the
Nortel WLAN Security Switch 2300 Series Command Line
Reference
.
Avoiding AAA problems in configuration order
Using the wildcard “Any” as the SSID name in authentication rules
You can configure an authentication rule to match on all SSID strings by using the SSID string any in the rule. For
example, the following rule matches on all SSID strings requested by all users:
example, the following rule matches on all SSID strings requested by all users:
set authentication web ssid any ** sg1
WSS Software checks authentication rules in the order they appear in the configuration file. As a result, if a rule with
SSID any appears in the configuration before a rule that matches on a specific SSID for the same authentication type and
userglob, the rule with any always matches first.
SSID any appears in the configuration before a rule that matches on a specific SSID for the same authentication type and
userglob, the rule with any always matches first.
To ensure the authentication behavior that you expect, place the most specific rules first and place rules with SSID any
last. For example, to ensure that users who request SSID corpa are authenticated using RADIUS server group corpasrvr,
place the following rule in the configuration before the rule with SSID any:
last. For example, to ensure that users who request SSID corpa are authenticated using RADIUS server group corpasrvr,
place the following rule in the configuration before the rule with SSID any:
set authentication web ssid corpa ** corpasrvr
Here is an example of a AAA configuration where the most-specific rules for 802.1X are first and the rules with any are
last:
last:
WSS# show aaa
...
set authentication dot1x ssid mycorp Geetha eap-tls
set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3
...
set authentication dot1x ssid mycorp Geetha eap-tls
set authentication dot1x ssid mycorp * peap-mschapv2 sg1 sg2 sg3