Open as PDF
Configuring Web Portal WebAAA 463
Here are some examples of common names in the recommended
Here are some examples of common names that are not in the
User VLAN—An IP interface must be configured on the user’s VLAN.
The interface must be in the subnet on which the DHCP server will
place the user, so that the switch can communicate with both the
client and the client’s preferred DNS server. (To configure a VLAN, see
“Configuring and Managing VLANs” on page 87.)
If users will roam from the switch where they connect to the network
to other WX switches, the system IP addresses of the switches should
not be in the web-portal VLAN.
Although the SSID’s default VLAN and the user VLAN must be the
same, you can use a location policy on the switch where the service
profile is configured to move the user to another VLAN. The other
VLAN is not required to be statically configured on the switch. The
VLAN does have the same requirements as other user VLANs, as
described above. For example, the user VLAN on the roamed-to
switch must have an IP interface, the interface must be in the subnet
that has DHCP, and the subnet must be the same one the DHCP
server will place the user in.
In MSS Version 4.1 and earlier, the VLAN was required to be statically
configured on the WX switch where WebAAA was configured and
through which the user accessed the network. MSS Version 4.2 removes
this restriction. The VLAN you want to place an authenticated WebAAA
user on does not need to be statically configured on the switch where
Web Portal is configured. If the VLAN you assign to a user is not statically
configured on the VLAN where the user accesses the network, the switch
where the user accessed the network builds a tunnel to the switch where
the user’s VLAN is configured. That switch uses DHCP to assign an IP
address to the user.