Dell PowerConnect W-Airwave W-Airwave 7.2 Configuration Guide - Page 56

Table 9 Profiles > AAA > 802.1x Auth Profile Settings (Continued) Field Default Description Enforce Machine No Authentication Machine ap-role Authentication: Default Machine Role Machine 24 Authentication Cache Timeout (1-1000 hrs) Blacklist on Machine No Authentication Failure Machine ap-role Authentication: Default User Role Interval Between 30 Identity Requests (1-65535 sec) Quiet Period after Failed 30 Authentication (1-65535 sec) Reauthentication Interval (60-864000 sec) 86,400 seconds Use Server Provided No Reauthentication Interval Multicast Key Rotation No (60-864000 sec) (For Windows environments only) Select this option to enforce machine authentication before user authentication. If selected, either the Machine Authentication Default Role or the User Authentication Default Role is assigned to the user, depending on which authentication is successful. This setting requires a policy enforcement firewall license. Select the default role to be assigned to the user after completing machine authentication. When a Windows device boots, it logs onto the network domain using a machine account. Within the domain, the device is authenticated before computer group policies and software settings can be executed; this process is known as machine authentication. Machine authentication ensures that only authorized devices are allowed on the network. You can configure 802.1x for both user and machine authentication (select the Enforce Machine Authentication option described in Table 51 on page 272). This tightens the authentication process further since both the device and user need to be authenticated. Role Assignment with Machine Authentication Enabled When you enable machine authentication, there are two additional roles you can define in the 802.1x authentication profile:  Machine authentication default machine role  Machine authentication default user role While you can select the same role for both options, you should define the roles as per the polices that need to be enforced. Also, these roles can be different from the 802.1x authentication default role configured in the AAA profile. With machine authentication enabled, the assigned role depends upon the success or failure of the machine and user authentications. In certain cases, the role that is ultimately assigned to a client can also depend upon attributes returned by the authentication server or server derivation rules configured on the controller. This setting requires a policy enforcement firewall license. Define whether the user is blacklisted upon authentication failure. This setting requires a policy enforcement firewall license. Select the default role to be assigned to the user after completing 802.1x authentication. This setting requires a policy enforcement firewall license. Specify the interval in which identity requests are to be spaced between each other. Specify the amount of time in seconds in which failed authentication denies access to a user, after failed authentication. Select this option to force the client to do a 802.1x re-authentication after the expiration of the default timer for re-authentication. The default value of the timer (Reauthentication Interval) is 24 hours. If the user fails to re-authenticate with valid credentials, the state of the user is cleared. If derivation rules are used to classify 802.1x-authenticated users, then the Reauthentication timer per role overrides this setting. 802.1x re-authentication can be attempted after the expiration of the default timer for reauthentication. Specify whether this is to be supported from the authentication server. Define whether Multicast Key Rotation is enabled or disabled. When enabled, unicast and multicast keys are updated after each reauthorization. It is a best practice to configure the time intervals for reauthentication, multicast key rotation, and unicast key rotation to be at least 15 minutes. 56 | Dell PowerConnect W Configuration Reference Dell PowerConnect W AirWave 7.2 | Configuration Guide