Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances

171

172

173

174

175

176

177

178

179

180

174 | Mobility Access Switch Configuration for 802.1X Authentication Dell Networking W-ClearPass Deployment Guide

Table 31: Role Assignments for User and Machine Authentication

Machine

Auth

Status

User

Auth

Status

Description Role Assignment

Failed Failed

Both machine authentication and user

authentication failed. Layer 2

authentication failed.

Initial role defined in the AAA

profile will be assigned. If no initial

role is explicitly defined, the

default initial role (logon role) is

assigned.

Failed Passed

Machine authentication fails (for example,

the machine information is not present on

the server) and user authentication

succeeds. Server-derived roles do not

apply.

Machine authentication default

user role configured in the 802.1x

authentication profile.

Passed Failed

Machine authentication succeeds and user

authentication has not been initiated.

Server-derived roles do not apply.

Machine authentication default

machine role configured in the

802.1x authentication profile.

Passed Passed

Both machine and user are successfully

authenticated. If there are server-derived

roles, the role assigned via the derivation

take precedence. This is the only case

where server-derived roles are applied.

A role derived from the

authentication server takes

precedence. Otherwise, the

802.1x authentication default role

configured in the AAA profile is

assigned.

Role Assignments Example

For example, if the following roles are configured:

l 802.1x authentication default role (in AAA profile): dot1x_user

l Machine authentication default machine role (in 802.1x authentication profile): dot1x_mc

l Machine authentication default user role (in 802.1x authentication profile): guest

The Role assignments would be as follows:

l If both machine and user authentication succeed, the role is dot1x_user.

If there is a server-derived role, the server-derived role takes precedence.

l If only machine authentication succeeds, the role is dot1x_mc.

l If only user authentication succeeds, the role is guest.

l On failure of both machine and user authentication, the initial role defined in the AAA profile is assigned.

VLAN Assignments

With machine authentication enabled, the VLAN to which a client is assigned (and from which the client obtains

its IP address) depends upon the success or failure of the machine and user authentications.

The VLAN that is ultimately assigned to a client can also depend upon attributes returned by the authentication

server or server derivation rules configured on the Mobility Access Switch.