Configuring AAA for network users 501
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Configuring Web portal Web-based AAA
To configure Web Portal Web-based AAA:
1 Configure an SSID or wired authentication port and set the fallthru authentication type to web-portal.
The default for SSIDs and for wired authentication ports is none.
2 Configure individual Web-based AAA users. Because the VLAN is assigned based on the service profile
(where it is set by the attr vlan-name vlan-id option) or web-portal-wired user (where it is set to
default), WSS Software ignores the VLAN-Name and Tunnel-Private-Group-ID attributes. However,
WSS Software does assign other attributes if set.
3 Configure web authentication rules for the Web-based AAA users.
4 Save the configuration changes.
Web portal Web-based AAA configuration example
This example configures Web-Portal access to SSID mycorp.
1 Configure the user VLAN on ports 2 and 3, and configure an IP interface on the VLAN:
WSS# set vlan mycorp-vlan port 2-3
success: change accepted.
WSS# set interface mycorp-vlan ip 192.168.12.10 255.255.255.0
success: change accepted.
2 Configure the service profile for SSID mycorp. Configuration includes the following:
• Set the SSID name.
• Change the fallthru authentication type to web-portal.
• Set the default VLAN to mycorp-vlan (created in step 1.) WSS Software will place Web-Portal users
into this VLAN.
• Enable RSN (WPA2) data encryption with CCMP. (This example assumes clients support this
encryption type.) TKIP is enabled by default and is left enabled in this example.
WSS# set service-profile mycorp-srvcprof ssid-name mycorp
success: change accepted.
WSS# set service-profile mycorp-srvcprof auth-fallthru web-portal
success: change accepted.
WSS# set service-profile mycorp-srvcprof attr vlan-name mycorp-vlan
success: change accepted.
WSS# set service-profile mycorp-srvcprof rsn-ie enable
Note. The VLAN does not need to be configured on the switch where you
configure Web Portal but the VLAN does need to be configured on a switch
somewhere in the Mobility Domain. The user’s traffic will be tunneled to the switch
where the VLAN is configured.