Operation Manual

ManualsBrandsTrapeze smart mobile ManualsSoftwareMobility System Software 7.3

171

172

173

174

175

176

177

178

179

180

AAA Commands

9 – 175

If you specify multiple authentication methods in the set authentication web command, MSS

applies them in the order in which they appear in the command, with these results:

● If the first method responds with pass or fail, the evaluation is final.

● If the first method does not respond, MSS tries the second method, and so on.

● However, if local appears first, followed by a RADIUS server group, MSS overrides any failed

searches in the local MX database and sends an authentication request to the server group.

MSS uses a WebAAA rule only under the following conditions:

● The client is not denied access by 802.1X or does not support 802.1X.

● The client MAC address does not match a MAC authentication rule.

● The fallthru type is web-portal. (For a wireless authentication rule, the fallthru type is

specified by the set service-profile auth-fallthru command. For a wired authentication

rule, the type is specified by the auth-fall-thru option of the set port type wired-auth

command.)

Examples

The following command configures a WebAAA rule in the local MX database for SSID

ourcorp and userglob rnd*:

MX# set authentication web ssid ourcorp rnd* local

success: change accepted.

See Also

● clear authentication web on page 9-152

● set authentication admin on page 9-164

● set authentication console on page 9-165

● set authentication dot1x on page 9-167

● show aaa on page 9-190

set location policy

Creates and enables a location policy on an MX. A location policy enables you to locally set or

change authorization attributes for a user after the user is authorized by AAA, without making

changes to the AAA server.

Syntax

set location policy deny if {ssid operator ssid-name | time-of-day

operator time-of-day|vlan operator vlan-glob | user operator user-glob |

port port-list | ap ap-num | all }

[before rule-number | modify rule-number]

Syntax

set location policy permit {vlan vlan-name | inacl inacl-name | outacl outacl-name}

if {ssid operator ssid-name | vlan operator vlan-glob | user operator user-glob | port

port-list | ap ap-num | all}

[before rule-number | modify rule-number]

deny Denies access to the network to users with attributes that

match the location policy rule.

permit Allows access to the network or to a specified VLAN, and/or

assigns a particular security ACL to users with attributes

matching the location policy rule.

Action options—For a permit rule, MSS changes the attributes assigned to the user

to the values specified by the following options:

vlan vlan-name Name of an existing VLAN to assign to users with attributes

matching the location policy rule.

inacl inacl-name Name of an existing security ACL to apply to packets sent to the

MX switch with attributes matching the location policy rule.

Optionally, you can add the suffix .in to the name.