Filter
Top Products
552 Configuring AAA for network users
NN47250-500 (320657-F Version 02.01)
success: change accepted.
WSS# set authentication dot1x ssid mycorp * peap-mschapv2 local
success: change accepted.
The configuration order now shows that all 802.1X users are processed as you intended:
WSS# show aaa
...
set accounting dot1x ssid mycorp EXAMPLE/* start-stop group1
set authentication dot1x ssid mycorp EXAMPLE/* peap-mschapv2 group1
set accounting dot1x ssid mycorp * start-stop group1
set authentication dot1x ssid mycorp * peap-mschapv2 local
Configuring a Mobility Profile
A Mobility Profile is a way of specifying, on a per-user basis, those users who are allowed access to specified AP access
ports and wired authentication ports on a WSS. In this way, you can constrain the areas to which a user can roam. You
first create a Mobility Profile, assign it to one or more users, and finally enable the Mobility Profile feature on the WSS.
Use the following command to create a Mobility Profile by giving it a name and identifying the accessible port or ports:
set mobility-profile name name
{port {none | all | port-list}} | {ap {none | all | ap-num}}
Specifying none prevents users assigned to the Mobility Profile from accessing any AP access ports, Distributed APs, or
wired authentication ports on the WSS. Specifying all allows the users access to all of the ports or Distributed APs.
Specifying an individual port or Distributed AP number or a list limits access to those ports or APs. For example, the
following command creates a Mobility Profile named roses-profile that allows access through ports 2 through 4, port 7,
and port 9:
WSS# set mobility-profile name roses-profile port 2-4,7,9
success: change accepted.
You can then assign this Mobility Profile to one or more users. For example, to assign the Mobility Profile roses-profile
to all users at EXAMPLE\, type the following command:
WSS# set user EXAMPLE\* attr mobility-profile roses-profile
success: change accepted.
(For a list of the commands for assigning attributes, see “Assigning attributes to users and groups” (page 528).)
During 802.1X authorization for clients at EXAMPLE\, WSS Software must search for the Mobility Profile named
roses-profile. If it is not found, the authorization fails and clients with usernames like EXAMPLE\jose and
EXAMPLE\tamara are rejected.
Caution! When Mobility Profile attributes are enabled, a user is denied access if
assigned a Mobility-Profile attribute in the local WSS database or RADIUS server and no
Mobility Profile of that name exists on the WSS.