488 Configuring AAA for network usersNN47250-500 (320657-F Version 02.01)Nortel recommends that you make the rules as general as possible. For example, if the Active Directorydomain is mycorp.com, the following userglobs match on all machine names and users in the domain:• host/*.mycorp.com (userglob for the machine authentication rule)• *.mycorp.com (userglob for the user authentication rule)If the domain name has more nodes (for example, nl.mycorp.com), use an asterisk in each node that you wantto match globally. For example, to match on all machines and users in mycorp.com, use the followinguserglobs:• host/*.*.mycorp.com (userglob for the machine authentication rule)• *.*.mycorp.com (userglob for the user authentication rule)Use more specific rules to direct machines and users to different server groups. For example, to direct users innl.mycorp.com to a different server group than users in de.mycorp.com, use the following userglobs:• host/*.nl.mycorp.com (userglob for the machine authentication rule)• *.nl.mycorp.com (userglob for the user authentication rule)• host/*.de.mycorp.com (userglob for the machine authentication rule)• *.de.mycorp.com (userglob for the user authentication rule)Bonded Authentication periodThe Bonded Authentication period is the number of seconds WSS Software allows a Bonded Authenticationuser to reauthenticate.After successful machine authentication, a session for the machine appears in the session table in WSSSoftware. When the user logs on and is authenticated, the user session replaces the machine session in thetable. However, since the user’s authentication rule contains the bonded option, WSS Software remembersthat the machine was authenticated.If a Bonded Authentication user’s session is ended due to 802.1X reauthentication or the RADIUSSession-Timeout parameter, WSS Software can allow time for the user to reauthenticate. The amount of timethat WSS Software allows for reauthentication is controlled by the Bonded Authentication period.If the user does not reauthenticate within the Bonded Authentication period, WSS Software deletes the infor-mation about the machine session. After the machine session information is deleted, the BondedAuthentication user cannot reauthenticate. When this occurs, the user will need to log off, then log back on, toaccess the network. After multiple failed reauthentication attempts, the user might need to reboot the PCbefore logging on.By default, the Bonded Authentication period is 0 seconds. WSS Software does not wait for a Bonded Authen-tication user to reauthenticate.You can set the Bonded Authentication period to a value up to 300 seconds. Nortel recommends that you try60 seconds, and change the period to a longer value only if clients are unable to authenticate within 60seconds.To set the Bonded Authentication period, use the following command:set dot1x bonded-period seconds