Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-3200

331

332

333

334

335

336

337

338

339

340

You can configure 802.1x for both user and machine authentication (select the Enforce Machine

Authentication option described in Table 68). This tightens the authentication process further, since both the

device and user need to be authenticated.

Working with Role Assignment with Machine Authentication Enabled

When you enable machine authentication, there are two additional roles you can define in the 802.1x

authentication profile:

l Machine authentication default machine role

l Machine authentication default user role

While you can select the same role for both options, you should define the roles as per the polices that need to

be enforced. Also, these roles can be different from the 802.1x authentication default role configured in the

AAA profile.

With machine authentication enabled, the assigned role depends upon the success or failure of the machine

and user authentications. In certain cases, the role that is ultimately assigned to a client can also depend upon

attributes returned by the authentication server or server derivation rules configured on the controller.

Table 69 describes role assignment based on the results of the machine and user authentications.

Machine

Auth

Status

User

Auth

Status

Description Role Assigned

Failed Failed Both machine authentication and

user authentication failed. L2

authentication failed.

No role assigned. No access to the

network allowed.

Failed Passed Machine authentication failed (for

example, the machine information is

not present on the server) and user

authentication succeeded. Server-

derived roles do not apply.

Machine authentication default user

role configured in the 802.1x

authentication profile.

Passed Failed Machine authentication succeeded

and user authentication has not been

initiated. Server-derived roles do not

apply.

Machine authentication default

machine role configured in the

802.1x authentication profile.

Passed Passed Both machine and user are

successfully authenticated. If there

are server-derived roles, the role

assigned via the derivation take

precedence. This is the only case

where server-derived roles are

applied.

A role derived from the

authentication server takes

precedence. Otherwise, the 802.1x

authentication default role

configured in the AAA profile is

assigned.

Table 69: Role Assignment for User and Machine Authentication

For example, if the following roles are configured:

l 802.1x authentication default role (in AAA profile): dot1x_user

l Machine authentication default machine role (in 802.1x authentication profile): dot1x_mc

l Machine authentication default user role (in 802.1x authentication profile): guest

Dell Networking W-Series ArubaOS 6.4.x | User Guide 802.1X Authentication | 336