User Credential Requirements; Authorization - D-Link DWS-1008 - AirPremier MobileLAN Switch Product Manual

The user credentials that MSS checks for on RADIUS servers or in the local database differ depending
on the type of authentication rule that matches on the SSID or wired access requested by the user.
• For a user to be successfully authenticated by an 802.1X or WebAAA rule, the username
and password entered by the user must be configured on the RADIUS servers used by the
authentication rule or in the switch's local database, if the local database is used by the
rule.
• For a user to be successfully authenticated based on the MAC address of the user's device,
the MAC address must be configured on the RADIUS servers used by the authentication
rule or in the switch's local database, if the local database is used by the rule. If the
MAC address is configured in the local database, no password is required. However, since
RADIUS requires a password, if the MAC address is on the RADIUS server, MSS checks
for a password. The default well-known password is dlink but is configurable.
• For a user to be successfully authenticated for last-resort access on a wired authentication
port, the RADIUS servers or local database must contain a user named last-resort-wired.
If the last-resort-wired user is configured in the local database, no password is required.
However, since RADIUS requires a password, if the last-resort-wired user is on the
RADIUS server, MSS checks for a password. The default well-known password is dlink but
is configurable. (The same password applies to MAC users.)
Last-resort access to an SSID does not require a special user (such as last-resort-ssid) to
be configured. Instead, if the fallthru authentication type on the SSID's service profile is set
to last-resort, and the SSID does not have any 802.1X or MAC access rules, a user can
access the SSID without entering a username or password.
If the user is authenticated, MSS then checks the RADIUS server or local database (the same place
MSS looked for user information to authenticate the user) for the authorization attributes assigned to
the user. Authorization attributes specify the network resources the user can access.
The only required attribute is the Virtual LAN (VLAN) name on which to place the user. RADIUS and MSS
have additional optional attributes. For example, you can provide further access controls by specifying
the times during which the user can access the network, you can apply inbound and outbound access
control lists (ACLs) to the user's traffic, and so on.
To assign attributes on the RADIUS server, use the standard RADIUS attributes supported on the server.
To assign attributes in the switch's local database, use the MSS vendor-specific attributes (VSAs).
D-Link DWS-1008 User Manual

User Credential Requirements

Authorization