Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

371

372

373

374

375

376

377

378

379

380

Configuring Web Web Portal WebAAA

RoamAbout Mobility System Software Configuration Guide 17-25

•Fallthruauthenticationtype—ThefallthruauthenticationtypeforeachSS IDandwired

authenticationportthatyouwanttosupportWebAAA,mustbesettoweb‐portal.Thedefa ult 

authenticationtypeforwiredauthenticationportsandforSSIDsisNone(nofallthru

authenticationisused).

Tosetthefallthruauthenticationtypefor

anSSID,setitintheserviceprofilefortheSSID,

usingthesetservice‐profileauth‐fallthrucommand.Tosetitonawiredauthenticationport,

usetheauth‐fall‐thruweb‐portalparameterofthesetporttypewired‐authcommand.

• Authorizationattributes—WirelessWeb‐Portalusersgettheirauthorization

attributesfrom

theSSID’sserviceprofile.ToassignwirelessWeb‐PortaluserstoaVLAN,usethe

setservice‐profilenameattrvlan‐namevlan‐idcommand.

Web‐Portalusersonwiredauthenticationportsgettheirauthorizationattributesfromthe

specialuserweb‐portal‐wired.ToassignwiredWeb‐Portal

userstoaVLAN,usethesetuser

web‐portal‐wiredattrvlan‐namevlan‐idcommand.Bydefault,web‐portal‐wiredusersare

assignedtothedefaultVLAN.

•Portalusers(createdbyMSSautomatically)—TheportalaclACLcapturesalltheportaluser’s

trafficexceptforDHCPtraffic.Theportalaclhas

thefollowingACEs:

set security acl ip portalacl permit udp 0.0.0.0 255.255.255.255 eq 68

0.0.0.0 255.255.255.255 eq 67

set security acl ip portalacl deny 0.0.0.0 255.255.255.255 capture

MSSautomaticallycreatestheportalaclACLthefirsttimeyousetthefallthruauthentication

typeonanyserviceprofileorwiredauthenticationporttoweb‐portal.

–TheACLismappedtowirelessWeb‐Portalusersthroughtheserviceprofile.Whenyou

setthefallthruauthenticationtypeonaserviceprofile

toweb‐portal,portalaclissetasthe

Web‐PortalACL.TheACLisappliedtoaWeb‐Portaluser’strafficwhentheuser

associateswiththeserviceprofile’s SSID.

–TheACLismappedtoWeb‐Portalusersonawired‐authenticationportbytheFilter‐id.in

attributeconfiguredon

theweb‐portal‐wireduser.Whenyousetthefallt hru

authenticationtypeonawiredauthenticationporttoweb‐portal,MSScreatestheweb‐

portal‐wireduser.MSSsetsthefilter‐idattributeontheusertoportalacl.in.

– Authenticationrules—AwebauthenticationrulemustbeconfiguredfortheWebAAA

users.

ThewebrulemustmatchontheusernametheWebAAAuserwillenteronthe

WebAAAloginpage.(Thematchcanbeonausergloborindividualusername.)

Note: In MSS Version 4.1 and earlier, the VLAN was required to be statically configured on the

RoamAbout Switch where WebAAA was configured and through which the user accessed the

network. MSS Version 4.2 removes this restriction. The VLAN you want to place an authenticated

WebAAA user on does not need to be statically configured on the switch where Web Portal is

configured. If the VLAN you assign to a user is not statically configured on the VLAN where the user

accesses the network, the switch where the user accessed the network builds a tunnel to the switch

where the user’s VLAN is configured. That switch uses DHCP to assign an IP address to the user.

Caution: Without the Web-Portal ACL, WebAAA users will be placed on the network without any

filters.

Caution: Do not change the deny rule at the bottom of the Web-Portal ACL. This rule must be

present and the capture option must be used with the rule. If the rule does not have the capture

option, the Web Portal user never receives a login page. If you need to modify the Web-Portal ACL,

create a new one instead, and modify the service profile or web-portal-wired user to use the new

ACL. (See “Portal ACL and User ACLs” on page 17-26.)