Authentication Rules and Add User to Authentication Mapping Window

This window lets you add or edit the user to authentication mappings that define your Advanced AAA configurations. You can access this window from the Add or Edit buttons in the AAA Configuration window.

Edit User to Authentication Mapping

Authentication Type
Select the authentication type that the end-system must match for this mapping. Note that individual types of 802.1X authentication are not available for selection because at this point in the authentication process, the fully qualified 802.1X authentication type cannot be determined. Select Any if you don't want to require an authentication match. Select 802.1X (TTLS-INNER-TUNNEL) or 802.1X (PEAP-INNER-TUNNEL) to authenticate via another RADIUS server using an inner tunnel to protect the authentication request.

The Management Login authentication type enables you to set up a mapping specifically for authenticating management login requests, when an administrator logs into a switch's CLI via the console connection, SSH, or Telnet. This enables you to send management requests to a different authentication server than network access requests go to. This authentication type can be used to authenticate users locally, or proxy them to specific RADIUS or LDAP servers. Make sure that the Management Login mapping is listed above the "Any" mapping in the list of mappings in your Advanced AAA Configuration. In addition, you must set the Auth. Access Type to either "Management Access" or "Any Access" in the Add/Edit Switches window for this authentication type.
User/MAC/Host
Select the Pattern radio button and enter the username, MAC address, or hostname that the end-system must match for this mapping. Or, select the Group radio button and select a user group or end-system group from the drop-down list. If you enter a MAC address, you can use a colon (:) or a dash (-) as an address delimiter, but not a period (.).
Location
Select the location group that the end-system must match for this mapping, or select "Any" if you don't want to require a location match. You can also add a new location group or edit an existing one.
Authentication Method
Select the authentication method that the end-system must match for this mapping: Proxy RADIUS (Failover), Proxy RADIUS (Round Robin), LDAP Authentication, Local Authentication, or Entra ID.
 
Proxy Radius (Failover), Proxy Radius (Round Robin)
  • Primary RADIUS Server — Use the drop-down list to select the primary RADIUS server for this mapping to use.You can also add or edit a RADIUS server, or manage your RADIUS servers.
  • Secondary RADIUS Server — Use the drop-down list to select the backup RADIUS server for this mapping to use. You can also add or edit a RADIUS server, or manage your RADIUS servers.
  • 3rd - 8th RADIUS Server — Use the drop-down list to select the backup RADIUS server for this mapping to use. You can also add or edit a RADIUS server, or manage your RADIUS servers.
  • Inject Authentication Attrs — Use the drop-down list to select attributes to inject when proxying authentication requests to the back-end RADIUS servers. You can also add or edit a RADIUS attribute configuration, or manage your RADIUS attribute configurations. Select ExtremeGuest when configuring a Captive Portal that redirects users to ExtremeGuest.

    • You can enter the following variables in the format %VARIABLE_NAME%.

      • ES_IP — the IP address of the end-system, if known.

      • ES_MAC — the MAC address of the end-system. To change the format of the MAC address you can add a ":<format>" to the variable. For example the MAC address 00-12-34-ab-cd-ef:

        • %ES_MAC:XX-XX-XX-XX-XX-XX% produces the MAC in the format: 00-12-34-AB-CD-EF

        • %ES_MAC:xxxxxx.xxxxxxx% produces the MAC in the format: 001234.abcdef

      • ES_OUI_VENDOR — uses the MAC OUI of the end-system MAC address to look up the vendor in the list of registered vendor OUIs.

      • NAS_IP — the NAS-IP-Address of the device that the end-system is currently authenticating on.

      • NAS_MAC — the MAC address of the device the end-system is currently authenticating on.

      •  NOTE:You can use any RADIUS attribute, such as Siemens-SSID & Siemens-BSS-MAC. If the attributes exist on the request sent to the Access Control Engine, you can use those attributes.
  • Inject Accounting Attrs — Use the drop-down list to select attributes to inject when proxying accounting requests to the back-end RADIUS servers. You can also add or edit a RADIUS attribute configuration, or manage your RADIUS attribute configurations. Select ExtremeGuest when configuring a Captive Portal that redirects users to ExtremeGuest.
LDAP Authentication — If you select LDAP Authentication, specify the LDAP configuration for this mapping to use.

Local Authentication — If desired, select the option to configure a password for all authentications that match the mapping. This option could be used with MAC authentication where the password is not the MAC address. For example, you can have MAC (PAP) authentication configured for all your switches, with the exception of MAC (MsCHAP) authentication configured for a wireless controller. For the wireless controller, you would add a new AAA mapping with the authentication type set to MAC (MsCHAP), the location set to the wireless controller location group, and the authentication method set to Local Authentication with the password for all authentications set to the static password configured on the wireless controller.
 
Entra ID — All enabled Entra ID configurations are used If the AAA rules with Entra ID authentication method is configured. You can also add or edit Entra IDs from Manage Entra IDs.
LDAP Configuration
Use the drop-down list to select the LDAP configuration for the LDAP servers on your network that you want to use for this mapping. You can also add or edit an LDAP configuration, or manage your LDAP configurations. You must specify an LDAP configuration if you have selected LDAP Authentication as your authentication method. However, you might also specify an LDAP configuration if you use Proxy RADIUS to a Microsoft NPS server that is running on a domain controller. The domain controller is also an LDAP server that can do RADIUS requests and LDAP requests for users on that server.
LDAP Policy Mapping
Select the LDAP Policy Mapping for this mapping from the drop-down list. If you have selected an LDAP configuration, this option enables you to use a different LDAP policy mapping. This is useful if the LDAP configuration uses user attribute values that overlap with another LDAP configuration. For example, in the case of multiple companies where company A's Sales department uses one policy, but company B's Sales department uses a different policy.

Select Manage from the drop-down list to Add, Edit, Copy, or Delete the LDAP policy mappings for the LDAP configuration:



Fall-through if Authentication Failed
Select the checkbox to authenticate against the next AAA authentication rule in the event the authentication configured as the first AAA authentication rule results in authentication failure or the Directory Service is unreachable. The fall-through functionality only occurs for those rules on which the checkbox is selected and only in the event the first authentication rule fails. When this checkbox is enabled and an authentication rule fails, the Access Control engine continues checking the end-user against the remaining rules until it finds a matching rule. If it does not find a matching rule, authentication continues using the previous authentication response.
 
  NOTE: When using EAP-TEAP the fall-through option requires the computer authentication as EAP-TLS and the user authentication as MsCHAP to function.

Related Information

For information on related help topics: