Open as PDF
Assigning Authorization Attributes 487
Non-802.1X Users of
a Third-Party AP with
To configure MSS to authenticate non-802.1X users of a third-party AP,
use the same commands as those required for 802.1X users. Additionally,
when configuring the wired authentication port, use the auth-fall-thru
option to change the fallthru authentication type to last-resort or
On the RADIUS server, configure username web-portal-ssid or
last-resort-ssid, depending on the fallthru authentication type you
specify for the wired authentication port.
for Any Users of a
If SSID traffic from the third-party AP is untagged, use the same
configuration commands as the ones required for 802.1X users, except
the set radius proxy port command. This command is not required and
is not applicable to untagged SSID traffic. In addition, when configuring
the wired authentication port, use the auth-fall-thru option to change
the fallthru authentication type to last-resort or web-portal.
On the RADIUS server, configure username web-portal-wired or
last-resort-wired, depending on the fallthru authentication type
specified for the wired authentication port.
Authorization attributes can be assigned to users in the local database on
remote servers, or in the service profile of the SSID the user logs into. The
attributes, which include access control list (ACL) filters, VLAN
membership, encryption type, session time-out period, and other session
characteristics, let you control how and when users access the network.
When a user or group is authenticated, the local database, RADIUS
server, or service profile passes the authorization attributes to MSS to
characterize the user’s session.
If attributes are configured for a user and also for the group the user is in,
the attributes assigned to the individual user take precedence for that
user. For example, if the start-date attribute configured for a user is
sooner than the start-date configured for the user group the user is in,
the user’s network access can begin as soon as the user start-date. The
user does not need to wait for the user group’s start date.
The VLAN attribute is required. MSS can authorize a user to access the
network only if the VLAN to place the user on is specified.