Authentication Rule Requirements - Nortel 2300 Series Configuration Manual

422 Configuring AAA for Network Users
WSS Software refuses to authenticate the user and does not allow the user onto the network from the unauthenticated
machine.
Note.
If the 802.1X reauthentication parameter or the RADIUS Session-Timeout
parameter is applicable, the user must log in before the 802.1X reauthentication timeout or
the RADIUS session-timeout for the machine's session expires. Normally, these
parameters apply only to clients that use dynamic WEP, or use WEP-40 or WEP-104
encryption with WPA or RSN.

Authentication Rule Requirements

Bonded Authentication requires an 802.1X authentication rule for the machine itself, and a separate 802.1X authentica-
tion rule for the user(s). Use the bonded option in the user authentication rule, but not in the machine authentication rule.
The authentication rule for the machine must be higher up in the list of authentication rules than the authentication rule
for the user.
You must use 802.1X authentication rules. The 802.1X authentication rule for the machine must use pass-through as
the protocol. Nortel recommends that you also use pass-through for the user's authentication rule.
The rule for the machine and the rule for the user must use a RADIUS server group as the method. (Generally, in a
Bonded Authentication configuration, the RADIUS servers will use a user database stored on an Active Directory
server.)
(For a configuration example, see
Nortel recommends that you make the rules as general as possible. For example, if the Active Directory domain is
mycorp.com, the following userwildcards match on all machine names and users in the domain:
• host/*.mycorp.com (userwildcard for the machine authentication rule)
• *.mycorp.com (userwildcard for the user authentication rule)
If the domain name has more nodes (for example, nl.mycorp.com), use an asterisk in each node that you want to match
globally. For example, to match on all machines and users in mycorp.com, use the following userwildcards:
• host/*.*.mycorp.com (userwildcard for the machine authentication rule)
• *.*.mycorp.com (userwildcard for the user authentication rule)
Use more specific rules to direct machines and users to different server groups. For example, to direct users in
nl.mycorp.com to a different server group than users in de.mycorp.com, use the following userwildcards:
• host/*.nl.mycorp.com (userwildcard for the machine authentication rule)
• *.nl.mycorp.com (userwildcard for the user authentication rule)
• host/*.de.mycorp.com (userwildcard for the machine authentication rule)
• *.de.mycorp.com (userwildcard for the user authentication rule)
320657-A
"Bonded Authentication Configuration Example" on page 423.)