3Com WX2200 3CRWX220095A Switch User Manual

Configuring Web Portal WebAAA 465
CAUTION: Without the Web-Portal ACL, WebAAA users will be placed
on the network without any filters.
CAUTION: Do not change the deny rule at the bottom of the ACL. This
rule must be present and the capture option must be used with the rule.
If the rule does not have the capture option, the Web Portal user never
receives a login page. If you need to modify the Web-Portal ACL, create a
new one instead, and modify the service profile or web-portal-wired user
to use the new ACL.
Authentication rules—A web authentication rule must be configured
for the WebAAA users. The web rule must match on the username
the WebAAA user will enter on the WebAAA login page. (The match
can be on a userglob or individual username.) The web rule also must
match on the SSID the user will use to access the network. If the user
will access the network on a wired authentication port, the rule must
match on wired.
To configure authentication rules, use the set authentication web
Web Portal WebAAA must be enabled, using the set web-portal
command. The feature is enabled by default.
Portal ACL and User ACLs
The portalacl ACL, which MSS creates automatically, applies only when a
user’s session is in the portal state. After the user is authenticated and
authorized, the ACL is no longer applicable.
To modify a user’s access while the user is still being authenticated and
authorized, you can configure another ACL and map that ACL instead to
the web-portal-ssid or web-portal-wired user. Make sure to use the
capture option for traffic you do not want to allow. 3Com recommends
that you do not change the portalacl ACL. Leave the ACL as a backup in
case you need to refer to it or you need to use it again.
For example, if you want to allow the user to access a credit card server
while MSS is still authenticating and authorizing the user, create a new
ACL, add ACEs that are the same as the ACEs in portalacl, and add a new
ACE before the last one, to allow access to the credit card server. Make
sure the last ACE in the ACL is the deny ACE that captures all traffic that
is not allowed by the other ACEs.