Filter
Top Products
462 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
If the WX does not receive a reply to a client’s DNS request, the WX
spoofs a reply to the browser by sending the WX switch’s own IP address
as the resolution to the browser’s DNS query. The WX also serves the web
login page. This behavior simplifies use of the WebAAA feature in
networks that do not have a DNS server. However, if the requested URL is
invalid, the behavior gives the appearance that the requested URL is valid,
since the browser receives a login page. Moreover, the browser might
cache a mapping of the invalid URL to the WX IP address.
If the user enters an IP address, most browsers attempt to contact the IP
address directly without using DNS. Some browsers even interpret
numeric strings as IP addresses (in decimal notation) if a valid address
could be formed by adding dots (dotted decimal notation). For example,
208194225132 would be interpreted as a valid IP address, when
converted to 208.194.225.132.
WebAAA
Requirements and
Recommendations
Use the following information to ensure operation of the WebAAA
feature.
MSS Version 5.0 does not require or support special user web-portal-ssid,
where ssid is the SSID the Web-Portal user associates with. Previous MSS
Versions required this special user for Web-Portal configurations. Any
web-portal-ssid users are removed from the configuration during
upgrade to MSS Version 5.0. However, the web-portal-wired user is still
required for Web Portal on wired authentication ports.
WX Switch Requirements
WebAAA certificate—A WebAAA certificate must be installed on the
switch. You can use a self-signed (signed by the WX) WebAAA
certificate automatically generated by MSS, manually generate a
self-signed one, or install one signed by a trusted third-party
certificate authority (CA). (For more information, see Chapter 20,
“Managing Keys and Certificates,” on page 413.)
If you choose to install a self-signed WebAAA certificate, use a
common name (a required field in the certificate), that resembles a
web address and contains at least one dot. When MSS serves the
login page to the browser, the page’s URL is based on the common
name in the WebAAA certificate.