User's Manual

ManualsBrandsDell ManualsComputer equipmentPowerConnect W-6000

261

262

263

264

265

266

267

268

269

270

Machine

Auth

Status

User

Auth

Status

Description Role Assigned

Failed Failed Both machine authentication and user

authentication failed. L2 authentication

failed.

No role assigned. No access to the

network allowed.

Failed Passed Machine authentication failed (for

example, the machine information is

not present on the server) and user

authentication succeeded. Server-

derived roles do not apply.

Machine authentication default user

role configured in the 802.1x

authentication profile.

Passed Failed Machine authentication succeeded

and user authentication has not been

initiated. Server-derived roles do not

apply.

Machine authentication default

machine role configured in the 802.1x

authentication profile.

Passed Passed Both machine and user are

successfully authenticated. If there are

server-derived roles, the role assigned

via the derivation take precedence.

This is the only case where server-

derived roles are applied.

A role derived from the authentication

server takes precedence. Otherwise,

the 802.1x authentication default role

configured in the AAA profile is

assigned.

Table 48: Role Assignment for User and Machine Authentication

For example, if the following roles are configured:

l 802.1x authentication default role (in AAA profile): dot1x_user

l Machine authentication default machine role (in 802.1x authentication profile): dot1x_mc

l Machine authentication default user role (in 802.1x authentication profile): guest

Role assignment is as follows:

l If both machine and user authentication succeed, the role is dot1x_user. If there is a server-derived role, the

server-derived role takes precedence.

l If only machine authentication succeeds, the role is dot1x_mc.

l If only user authentication succeeds, the role is guest.

l On failure of both machine and user authentication, the user does not have access to the network.

With machine authentication enabled, the VLAN to which a client is assigned (and from which the client obtains

its IP address) depends upon the success or failure of the machine and user authentications. The VLAN that is

ultimately assigned to a client can also depend upon attributes returned by the authentication server or server

derivation rules configured on the controller (see Understanding VLAN Assignments on page 157). If machine

authentication is successful, the client is assigned the VLAN configured in the virtual AP profile. However, the

client can be assigned a derived VLAN upon successful user authentication.

You can optionally assign a VLAN as part of a user role configuration. You should not use VLAN derivation

if you configure user roles with VLAN assignments.

Table 49 describes VLAN assignment based on the results of the machine and user authentications when VLAN

derivation is used.

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 263