Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

371

372

373

374

375

376

377

378

379

380

Configuring Web Web Portal WebAAA

17-26 Configuring AAA for Network Users

ThewebrulealsomustmatchontheSSIDtheuserwillusetoaccessthenetwork.Ifthe

userwillaccessthenetworkonawiredauthenticationport,therulemustmatchon

wired.

Toconfigureauthenticationrules,usethesetauthenticationwebcommand.

–WebPortalWebAAAmustbeenabled,

usingthesetweb‐portalcommand.Thefeatureis

enabledbydefault.

– Authenticationrules—AwebauthenticationrulemustbeconfiguredfortheWebAAA

users.ThewebrulemustmatchontheusernametheWebAAAuserwillenteronthe

WebAAAloginpage.(Thematchcanbeonausergloborindividual

username.)Theweb

rulealsomustmatchontheSSIDtheuserwillusetoaccessthenetwork.Iftheuserwill

accessthenetworkonawiredauthenticationport,therulemustmatchonwired.

Toconfigureauthenticationrules,usethesetauthenticationwebcommand.

–WebPortalWebAAAmustbe

enabled,usingthesetweb‐portalcommand.Thefeatureis

enabledbydefault.

Portal ACL and User ACLs

TheportalaclACL,whichMSScreatesautomatically,appliesonlywhenauser’ssessionisinthe

portalstate.Aftertheuserisauthenticatedandauthorized,theACLisnolongerapplicable.

Tomodifyauser’saccesswhiletheuserisstillbeingauthenticatedandauthorized,youcan

configureanotherACLand

mapthatACLinstea dtotheserviceprofileortheweb‐portal‐wired

user.Make suretousethecaptureoptionfortrafficyoudonotwanttoallow.EnterasysNetworks

recommendsthatyoudonotchangetheportalaclACL.LeavetheACLasabackupincaseyou

need

torefertoitoryouneedtouseitagain.

Forexample,ifyouwanttoallowtheusertoaccessacreditcardserverwhileMSSisstill

authenticatingandauthorizingtheuser,createanewACL,addACEsthatarethesameasthe

ACEsinportalacl,and

addanewACEbeforethelastone,toallowaccesstothecreditcardserver.

MakesurethelastACEintheACListhedenyACEthatcapturesalltrafficthatisnotallowedby

theotherACEs.

TomodifyaWebAAAuser’saccessaftertheuseris

authenticatedandauthorized,mapanACLto

theindividualWebAAAuser.ChangesyoumaketotheACLmappedtotheserviceprofileor

web‐portal‐wireduserdonotaffectuseraccessafterauthenticationandauthorizationare

complete.

Note: The filter-id attribute in a service profile applies only to authenticated users. If this attribute is

set in a service profile for an SSID accessed by Web-Portal users, the attribute applies only after

users have been authenticated. While a Web-Portal user is still being authenticated, the ACL set by

the web-portal-acl applies instead.