Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances

171

172

173

174

175

176

177

178

179

180

If machine authentication is successful, the client is associated to the VLAN configured on the interface.

However, the client can be assigned a derived VLAN upon successful user authentication.

You can optionally assign a VLAN as part of a user role configuration. It is recommended not to use VLAN derivation if

user roles are configured with VLAN assignments.

Table 32 describes VLAN assignment based on the results of the machine and user authentications when VLAN

derivation is used.

Machine

Auth

Status

User

Auth

Status

Description VLAN Assignment

Failed Failed

Both machine authentication and user

authentication failed. Layer 2

authentication failed.

l VLAN configured on the

interface.

l VLAN configured under initial

role.

Failed Passed

Machine authentication fails (for example,

the machine information is not present on

the server) and user authentication

succeeds.

l VLAN configured on the

interface.

l VLAN configured under machine

authentication default user role.

Passed Failed

Machine authentication succeeds and

user authentication has not been initiated.

l VLAN configured on the

interface.

l VLAN configured under machine

authentication default user role.

Passed Passed

Both machine and user are successfully

authenticated.

l Derived VLAN.

l VLAN configured on the

interface.

Table 32: VLAN Assignments for User and Machine Authentication

Authentication with an 802.1x RADIUS Server

When authenticating with an 802.1X RADIUS server:

l An EAP-compliant RADIUS server provides the 802.1x authentication.

The RADIUS server administrator must configure the server to support this authentication. The

administrator must also configure the server to handle all communications with the Mobility Access Switch.

l 802.1x authentication based on PEAP with MS-CHAPv2 provides both computer and user authentication.

If a user attempts to log in without the computer being authenticated first, the user is placed into a limited

guest user role.

Windows domain credentials are used for computer authentication, and the user’s Windows login and

password are used for user authentication. A single user sign-on facilitates both authentication to the

network and access to the Windows server resources.

You can create the following policies and user roles for:

l Student

l Faculty

Dell Networking W-ClearPass Deployment Guide Mobility Access Switch Configuration for 802.1X Authentication | 175