Dell PowerConnect W Clearpass 100 Software 3.7 Deployment Guide - Page 65

The 'Allowed Access' and 'Denied Access' fields are access control lists that determine if a client is permitted to access this Web login page. You can specify multiple IP addresses and networks, one per line, using the following syntax:  1.2.3.4 - IP address  1.2.3.4/24 - IP address with network prefix length  1.2.3.4/255.255.255.0 - IP address with explicit network mask The 'Deny Behavior' drop-down list may be used to specify the action to take when access is denied. The access control rules will be applied in order, from the most specific match to the least specific match. Access control entries are more specific when they match fewer IP addresses. The most specific entry is a single IP address (for example, 1.2.3.4), while the least specific entry is the match-all address of 0.0.0.0/0. As another example, the network address 192.168.2.0/24 is less specific than a smaller network such as 192.168.2.192/26, which in turn is less specific than the IP address 192.168.2.201 (which may also be written as 192.168.2.201/32). To determine the result of the access control list, the most specific rule that matches the client's IP address is used. If the matching rule is in the Denied Access list, then the client will be denied access. If the matching rule is in the Allowed Access list, then the client will be permitted access. If the Allowed Access list is empty, all access will be allowed, except to clients with an IP address that matches any of the entries in the Denied Access list. This behavior is equivalent to adding the entry 0.0.0.0/0 to the Allowed Access list. If the Denied Access list is empty, only clients with an IP address that matches one of the entries in the Allowed Access list will be allowed access. This behavior is equivalent to adding the entry 0.0.0.0/0 to the Denied Access list. Universal Access Method (UAM) Password Encryption Two different forms of password encryption are supported for the Web login page. These are:  UAM basic - Equivalent to the Password Authentication Protocol (PAP) scheme.  UAM with shared secret - Equivalent to the Challenge Handshake Authentication Protocol (CHAP) scheme. When using either of these schemes, the NAS must supply a parameter named challenge to the Web login page. This parameter should be a string of hexadecimal digits ("hexadecimal challenge string") encoding a binary value at least 128 bits long ("binary challenge"). The challenge is used to encrypt the user's password as follows:  UAM basic - The user's password is XORed bytewise with the supplied binary challenge. The result is encoded as a string of hexadecimal characters.  UAM with shared secret - The MD5 checksum of the binary challenge followed by the predefined UAM secret is computed ("checksum challenge"). The encrypted password is the hexadecimal MD5 checksum of a stream consisting of a null byte followed by the user's plaintext password and the hexadecimal checksum challenge. NAS Redirect Parameters The NAS may supply additional parameters when redirecting the user to the Web login page. These are supported and will be passed back to the NAS along with the variables that are defined as part of the Web login form. For example, some wireless network equipment will pass a "wlan" parameter that contains the user's ESSID to the login page. This might result in the following redirection URL: Amigopod 3.7 | Deployment Guide RADIUS Services | 65