Filter
Top Products
Configuring AAA for network users 495
Nortel WLAN—Security Switch 2300 Series Configuration Guide
How Web portal Web-based AAA works
1 A Web-based AAA user attempts to access the network. For a wireless user, this begins when the user’s
network interface card (NIC) associates with an SSID on a Nortel radio. For a wired authentication user,
this begins when the user’s NIC sends data on the wired authentication port.
2 WSS Software starts a portal session for the user, and places the user in a VLAN.
• If the user is wireless (associated with an SSID), WSS Software assigns the user to the VLAN set by
the vlan-name attribute for the SSID’s service profile.
• If the user is on a wired authentication port, the VLAN is the one assigned to the web-portal-wired
user.
3 The user opens a web browser. The web browser sends a DNS request for the IP address of the home page
or a URL requested by the user.
4 WSS Software does the following:
• Intercepts the DNS request, uses the WSS Software DNS proxy to obtain the URL’s IP address from
the network DNS server, and sends the address to the user’s browser.
• Serves a login page to the Web-based AAA user. (Also see “Display of the login page” (page 495).)
5 The user enters their username and password in the Web-based AAA login page.
6 WSS Software authenticates the user by checking RADIUS or the switch’s local database for the
username and password entered by the user. If the user information is present, WSS Software authorizes
the user based on the authorization attributes set for the user.
7 After authentication and authorization are complete, WSS Software changes the user’s session from a
portal session with the name web-portal-ssid or web-portal-wired to a Web-based AAA session with the
user’s name. The session remains connected, but is now an identity-based session for the user instead of a
portal session.
8 WSS Software redirects the browser to the URL initially requested by the user or, if the URL VSA is
configured for the user, redirects the user to the URL specified by the VSA.
9 The web page for the URL to which the user is redirected appears in the user’s browser window.
Display of the login page
When a Web-based AAA client first tries to access a web page, the client’s browser sends a DNS request to obtain the IP
address mapped to the domain name requested by the client’s browser. The WSS proxies this DNS request to the
network’s DNS server, then proxies the reply back to the client. If the DNS server has a record for the requested URL,
the request is successful and the WSS serves a web login page to the client. However, if the DNS request is unsuccessful,
the WSS displays a message informing the user of this and does not serve the login page.
If the WSS does not receive a reply to a client’s DNS request, the WSS spoofs a reply to the browser by sending the
WSS’s own IP address as the resolution to the browser’s DNS query. The WSS also serves the web login page. This
behavior simplifies use of the Web-based AAA feature in networks that do not have a DNS server. However, if the
Note. WSS Software ignores the VLAN-Name or Tunnel-Private-Group-ID attribute
associated with the user, and leaves the user in the VLAN associated with the SSID’s
service profile (if wireless) or with the web-portal-wired user (if the user is on a wired
authentication port).