440 Configuring AAA for Network Users
320657-A
When user djoser is successfully authenticated and authorized, WSS Software redirects the user to the
following URL:
https://saqqara.org/login.php?user=djoser
To verify configuration of a redirect URL and other user attributes, type the show aaa command.
Configuring Last-Resort Access
Users who are not authenticated and authorized by 802.1X methods or a MAC address can gain limited access
to the network as guest users. You can optionally configure a special username called last-resort-wired (for
wired authentication access) or last-resort-ssid, where ssid is the SSID requested by the user. To match on the
wildcard SSID name any, configure user last-resort-any, exactly as spelled here.
To configure a last-resort authentication rule, use the following command:
set authentication last-resort {ssid ssid-name | wired}
method1 [method2] [method3] [method4]
For example, to enable wireless users who request SSID guestssid to join the network on VLAN k3, type the
following commands:
23x0# set authentication last-resort ssid guestssid local
success: change accepted
23x0# set user last-resort-guestssid attr vlan-name k3
success: change accepted
Note. Although WSS Software allows you to configure a user password for a last-resort
user, the password has no effect. Last-resort users can never access an WSS in
administrative mode and never require a password when authorized locally. However, if the
last-resort user is authorized on a RADIUS server, the server might require a password. In
this case, use the authorization password set on the WSS switch, which is Nortel by
default.
Note. The fallthru authentication type must be set to last-resort. Otherwise, last-resort
access is disabled. The default fallthru authentication type for wireless access to an SSID is
web. The default for wired authentication access is none. (To change the fallthru
authentication type for an SSID, see “Changing the Fallthru Authentication Type” on
page 265. To change it for a wired authentication port, see “Setting a Port for a Wired
Authentication User” on page 76.
