Configuring and Managing Access Rules for Network Users 329User Credential RequirementsThe user credentials that MSS checks for on RADIUS servers or in the localdatabase differ depending on the type of authentication rule thatmatches on the SSID or wired access requested by the user.■ For a user to be successfully authenticated by an 802.1X or Web AAArule, the username and password entered by the user must beconfigured on the RADIUS servers used by the authentication rule orin the WX switch’s local database, if the local database is used by therule.■ For a user to be successfully authenticated based on the MAC addressof the user’s device, the MAC address must be configured on theRADIUS servers used by the authentication rule or in the WX switch’slocal database, if the local database is used by the rule. If the MACaddress is configured in the local database, no password is required.However, since RADIUS requires a password, if the MAC address is onthe RADIUS server, MSS checks for a password. By default, MSS uses aMAC user’s MAC address as the password too.■ For a user to be successfully authenticated for last-resort access, theRADIUS servers or local database (whichever method is used by thelast-resort authentication rule), must contain a user namedlast-resort-wired (for wired authentication access) or last-resort-ssid,where ssid is the SSID requested by the user. If the matchinglast-resort user is configured in the local database, no password isrequired. However, since RADIUS requires a password, if the matchinglast-resort user is on the RADIUS server, MSS checks for theauthorization password (3Com by default.)If the last-resort authentication rule matches on SSID any, which is awildcard that matches on any SSID string, the RADIUS servers or localdatabase must have user last-resort-any, exactly as spelled here.Authorization If the user is authenticated, MSS then checks the RADIUS server or localdatabase (the same place MSS looked for user information toauthenticate the user) for the authorization attributes assigned to theuser. Authorization attributes specify the network resources the user canaccess.The only required attribute is the Virtual LAN (VLAN) name on which toplace the user. RADIUS and MSS have additional optional attributes. Forexample, you can provide further access controls by specifying the times
