412 Configuring AAA for Network Users320657-AAAA Methods for IEEE 802.1X and Web Network AccessThe following AAA methods are supported by Nortelfor 802.1X and Web network access mode:• Client certificates issued by a certificate authority (CA) for authentication.(For this method, you assign an authentication protocol to a user. For protocol details, see “IEEE 802.1XExtensible Authentication Protocol Types” on page 415.)• The WSS switch’s local database of usernames and user groups for authentication.(For configuration details, see “Adding and Clearing Local Users for Administrative Access” on page 63,“Authenticating through a Local Database” on page 420, and “Adding and Clearing MAC Users and UserGroups Locally” on page 426.)• A named group of RADIUS servers. The WSS switch supports up to four server groups, which can each containbetween one and four servers.(For server group details, see “Configuring RADIUS Server Groups” on page 483.)You can use the local database or RADIUS servers for MAC and last-resort access as well. If you use RADIUS servers,make sure you configure the password for the MAC address or last-resort user as nortel. (This is the default authoriza-tion password. To change it, see “Changing the MAC Authorization Password for RADIUS” on page 428.)AAA Rollover ProcessAn WSS switch attempts AAA methods in the order in which they are entered in the configuration:1 The first AAA method in the list is used unless that method results in an error. If the method results in apass or fail, the result is final and the WSS tries no other methods.2 If the WSS switch receives no response from the first AAA method, it tries the second method in the list.3 If the WSS switch receives no response from the second AAA method, it tries the third method. Thisevaluation process is applied to all methods in the list.Local Override ExceptionThe one exception to the operation described in “AAA Rollover Process” takes place if the local database is the firstmethod in the list and is followed by a RADIUS server group method. If the local method fails to find a matchingNote. If a AAA rule specifies local as a secondary AAA method, to be used if theRADIUS servers are unavailable, and WSS Software authenticates a client with the localmethod, WSS Software starts again at the beginning of the method list when attempting toauthorize the client. This can cause unexpected delays during client processing and cancause the client to time out before completing logon.