beautypg.com

Adding mac users and groups – 3Com WX4400 3CRWX440095A User Manual

Page 456

background image

456

C

HAPTER

21: C

ONFIGURING

AAA

FOR

N

ETWORK

U

SERS

Configuring
Authentication and
Authorization by
MAC Address

You must sometimes authenticate users based on the MAC addresses of
their devices rather than a username-password or certificate. For
example, some Voice-over-IP (VoIP) phones and personal digital assistants
(PDAs) do not support 802.1X authentication. If a client does not support
802.1X, MSS attempts to perform MAC authentication for the client
instead. The WX switch can discover the MAC address of the device from
received frames and can use the MAC address in place of a username for
the client.

Users authorized by MAC address require a MAC authorization password
if RADIUS authentication is desired. By default, MSS assumes that the
MAC address for a MAC user is also the password.

CAUTION: Use this method with care. IEEE 802.11 frames can be forged
and can result in unauthorized network access if MAC authentication is
employed.

Adding and Clearing

MAC Users and User

Groups Locally

MAC users and groups can gain network access only through the WX
switch. They cannot create administrative connections to the WX switch.
A MAC user is created in a similar fashion to other local users except for
having a MAC address instead of a username. MAC user groups are
created in a similar fashion to other local user groups.

(To create a MAC user profile or MAC user group on a RADIUS server, see
the documentation for your RADIUS server.)

Adding MAC Users and Groups

To create a MAC user group in the local WX database, you must
associate it with an authorization attribute and value. Use the following
command:

set mac-usergroup group-name attr attribute-name value

For example, to create a MAC user group called mac-easters with a
3000-second Session-Timeout value, type the following command:

WX1200# set mac-usergroup mac-easters attr
session-timeout 3000
success: change accepted.

To configure a MAC user in the local database and optionally add the
user to a group, use the following command:

set mac-user mac-addr [group group-name]

See also other documents in the category 3Com Computer Accessories: