Filter
Top Products
498 Configuring AAA for network users
NN47250-500 (320657-F Version 02.01)
• Fallthru authentication type—The fallthru authentication type for each SSID and wired authentication
port that you want to support Web-based AAA, must be set to web-portal. The default authentication
type for wired authentication ports and for SSIDs is None (no fallthru authentication is used).
To set the fallthru authentication type for an SSID, set it in the service profile for the SSID,
using the set service-profile auth-fallthru command. To set it on a wired authentication port,
use the auth-fall-thru web-portal parameter of the set port type wired-auth command.
• Authorization attributes—Wireless Web-Portal users get their authorization attributes from the SSID’s
service profile. To assign wireless Web-Portal users to a VLAN, use the set service-profile name attr
vlan-name vlan-id command.
Web-Portal users on wired authentication ports get their authorization attributes from the
special user web-portal-wired. To assign wired Web-Portal users to a VLAN, use the set user
web-portal-wired attr vlan-name vlan-id command. By default, web-portal-wired users are
assigned to the default VLAN.
• Portal ACL (created by WSS Software automatically)—The portalacl ACL captures all the portal user’s
traffic except for DHCP traffic. The portalacl has the following ACEs:
set security acl ip portalacl permit udp 0.0.0.0
255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
set security acl ip portalacl deny 0.0.0.0
255.255.255.255 capture
WSS Software automatically creates the portalacl ACL the first time you set the fallthru
authentication type on any service profile or wired authentication port to web-portal.
• The ACL is mapped to wireless Web-Portal users through the service profile. When you
set the fallthru authentication type on a service profile to web-portal, portalacl is set as
the Web-Portal ACL. The ACL is applied to a Web-Portal user’s traffic when the user
associates with the service profile’s SSID.
• The ACL is mapped to Web-Portal users on a wired-authentication port by the Filter-id.in
attribute configured on the web-portal-wired user. When you set the fallthru authentication
type on a wired authentication port to web-portal, WSS Software creates the
web-portal-wired user. WSS Software sets the filter-id attribute on the user to
portalacl.in.
Note. In WSS Software Version 4.1 and earlier, the VLAN was required to be
statically configured on the WSS where Web-based AAA was configured and
through which the user accessed the network. WSS Software Version 4.2 removes
this restriction. The VLAN you want to place an authenticated Web-based AAA
user on does not need to be statically configured on the switch where Web Portal
is configured. If the VLAN you assign to a user is not statically configured on the
VLAN where the user accesses the network, the switch where the user accessed
the network builds a tunnel to the switch where the user’s VLAN is configured.
That switch uses DHCP to assign an IP address to the user.