Open as PDF
466 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
To modify a WebAAA user’s access after the user is authenticated and
authorized, map an ACL to the individual WebAAA user. Changes you
make to the ACL mapped to the web-portal-ssid or web-portal-wired
user do not affect user access after authentication and authorization are
The filter-id attribute in a service profile applies only to authenticated
users. If this attribute is set in a service profile for an SSID accessed by
Web-Portal users, the attribute applies only after users have been
authenticated. While a Web-Portal user is still being authenticated, the
ACL set by the web-portal-acl applies instead.
The VLAN where users will be placed must have an IP interface, and the
subnet the interface is in must have access to DHCP and DNS servers.
WX Switch Recommendations
Consider installing a WebAAA certificate signed by a trusted CA,
instead of one signed by the WX switch itself. Unless the client’s
browser is configured to trust the signature on the switch’s WebAAA
certificate, display of the login page can take several seconds longer
than usual, and might be interrupted by a dialog asking the user what
to do about the untrusted certificate. Generally, the browser is already
configured to trust certificates signed by a CA.
Client NIC Requirements
Configure the NIC to use DHCP to obtain its IP address.
Client Web Browser Recommendations
Use a well-known browser, such as Internet Explorer (Windows),
Firefox (Mozilla-based), or Safari (Macintosh)
If the WebAAA certificate on the WX switch is self-signed, configure
the browser to trust the signature by installing the certificate on the
browser, so that the browser does not display a dialog about the
certificate each time the user tries to log on.