430 Configuring AAA for Network Users
320657-A
Web-based AAA Requirements and Recommendations
WSS Requirements
• Web-based AAA certificate—You must install a Web-based AAA certificate on the switch. You can
install a certificate signed by a trusted third-party certificate authority (CA), or one signed by the WSS
switch itself. (For information, see “Managing Keys and Certificates,” on page 379 or the Nortel Wireless
Security Switch Installation and Basic Configuration Guide.)
• If you choose to install a self-signed Web-based AAA certificate, use a common name (a required field in
the certificate), that resembles a web address and contains at least one dot. When WSS Software serves
the login page to the browser, the page’s URL is based on the common name in the Web-based AAA
certificate.
Here are some examples of common names in the recommended format:
● webaaa.login
● webaaa.customername.com
● webaaa.local
Here are some examples of common names that are not in the recommended format:
● webaaa
● trpz_webaaa
● web
• DNS must be configured. Configure the primary DNS server, and secondary servers if applicable (set ip
dns server command). Also configure the default domain name (set ip dns domain command), and
enable DNS (set ip dns enable command). By default, DNS is disabled and none of its parameters are
configured.
• User VLAN—The user’s VLAN must be statically configured on the WSS switch, and an IP interface
must be configured on the VLAN. The interface must be in the subnet on which the DHCP server will
place the user. (To configure a VLAN, see “Configuring and Managing VLANs” on page 88.)
• Fallthru authentication type—The fallthru authentication type for each SSID and wired authentication
port that you want to support Web-based AAA, must be set to web-portal. This is the default fallthru
authentication type for SSIDs but not for wired authentication ports.
To set the fallthru authentication type for an SSID, set it in the service profile for the SSID,
using the set service-profile auth-fallthru command. To set it on a wired authentication port,
use the auth-fall-thru web-portal parameter of the set port type wired-auth command.
• Portal users—For each SSID, a web-portal-ssid user must be configured, and the VLAN-Name and
Filter-Id attributes must be configured. The VLAN-Name attribute must be set to the VLAN on which
you want to place users of the SSID. The Filter-Id attribute must map the ACL web to the
web-portal-ssid user, on the inbound traffic direction. (The name web is the default name of the ACL
created for portal Web-based AAA.)
You can create the web-portal-ssid user in the local database, on RADIUS servers, or both. A
Web-based AAA authentication rule can use either or both of these authentication and
authorization methods.
