402 Configuring AAA for Network Users320657-AAuthenticationWhen a user attempts to access the network, WSS Software checks for an authentication rule that matches the followingparameters:• For wireless access, the authentication rule must match the SSID the user is requesting, and the user’s username orMAC address.• For access on a wired authentication port, the authentication rule must match the user’s username or MAC address.If a matching rule is found, WSS Software then checks RADIUS servers or the switch’s local user database for creden-tials that match those presented by the user. Depending on the type of authentication rule that matches the SSID or wiredauthentication port, the required credentials are the username or MAC address, and in some cases, a password.Each authentication rule specifies where the user credentials are stored. The location can be a group of RADIUS serversor the switch’s local database. In either case, if WSS Software has an authentication rule that matches on the requiredparameters, WSS Software checks the username or MAC address of the user and, if required, the password to make surethey match the information configured on the RADIUS servers or in the local database.The username or MAC address can be an exact match or can match a userwildcard or MAC address wildcard, whichallow wildcards to be used for all or part of the username or MAC address. (For more information about wildcards, see“AAA Tools for Network Users” on page 410.)Authentication TypesWSS Software provides the following types of authentication:• IEEE 802.1X—If the network user’s network interface card (NIC) supports 802.1X, WSS Software checks for an802.1X authentication rule that matches the username (and SSID, if wireless access is requested), and that uses theExtensible Authentication Protocol (EAP) requested by the NIC. If a matching rule is found, WSS Software usesthe requested EAP to check the RADIUS server group or local database for the username and password entered bythe user. If matching information is found, WSS Software grants access to the user.• MAC—If the username does not match an 802.1X authentication rule, but the MAC address of the user’s NIC orVoice-over-IP (VoIP) phone and the SSID (if wireless) do match a MAC authentication rule, WSS Software checksthe RADIUS server group or local database for matching user information. If the MAC address (and password, ifon a RADIUS server) matches, WSS Software grants access. Otherwise, WSS Software attempts the fallthruauthentication type, which can be Web, last-resort, or none. (Fallthru authentication is described in more detail in“Authentication Algorithm” on page 403.)• Web—A network user attempts to access a web page over the network. The WSS switch intercepts the HTTP orHTTPS request and serves a login Web page to the user. The user enters the username and password, and WSSSoftware checks the RADIUS server group or local database for matching user information. If the username andpassword match, WSS Software redirects the user to the web page she requested. Otherwise, WSS Software deniesaccess to the user.• Last-resort—A network user requests access to the network, without entering a username or password. WSSSoftware checks for a last-resort authentication rule for the requested SSID (or for wired, if the user is on a wiredauthentication port). If a matching rule is found, WSS Software checks the RADIUS server group or local databasefor username last-resort-wired (for wired authentication access) or last-resort-ssid, where ssid is the SSIDrequested by the user. If the user information is on a RADIUS server, WSS Software also checks for a password.