Open as PDF
464 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
Fallthru authentication type—The fallthru authentication type for each
SSID and wired authentication port that you want to support
WebAAA, must be set to web-portal. The default authentication
type for wired authentication ports and for SSIDs is None (no fallthru
authentication is used).
To set the fallthru authentication type for an SSID, set it in the service
profile for the SSID, using the set service-profile auth-fallthru
command. To set it on a wired authentication port, use the auth-fall-thru
web-portal parameter of the set port type wired-auth command.
Authorization attributes—Wireless Web-Portal users get their
authorization attributes from the SSID’s service profile. To assign
wireless Web-Portal users to a VLAN, use the set service-profile
name attr vlan-name vlan-id
Web-Portal users on wired authentication ports get their authorization
attributes from the special user web-portal-wired. To assign wired
Web-Portal users to a VLAN, use the set user web-portal-wired attr
vlan-name vlan-id command. By default, web-portal-wired users
are assigned to the default VLAN.
Portal ACL (created by MSS automatically)—The portalacl ACL
captures all the portal user’s traffic except for DHCP traffic. The
portalacl has the following ACEs:
set security acl ip portalacl permit udp 0.0.0.0
255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
set security acl ip portalacl deny 0.0.0.0 255.255.255.255
MSS automatically creates the portalacl ACL the first time you set the
fallthru authentication type on any service profile or wired authentication
port to web-portal.
The ACL is mapped to wireless Web-Portal users through the service
profile. When you set the fallthru authentication type on a service
profile to web-portal, portalacl is set as the Web-Portal ACL. The ACL
is applied to a Web-Portal user’s traffic when the user associates with
the service profile’s SSID.
The ACL is mapped to Web-Portal users on a wired-authentication
port by the Filter-id.in attribute configured on the web-portal-wired
user. When you set the fallthru authentication type on a wired
authentication port to web-portal, MSS creates the web-portal-wired
user. MSS sets the filter-id attribute on the user to portalacl.in.