430Configuring AAA for Network Users

Web-based AAA Requirements and Recommendations

WSS Requirements

Web-based AAA certificate—You must install a Web-based AAA certificate on the switch. You can install a certificate signed by a trusted third-party certificate authority (CA), or one signed by the WSS switch itself. (For information, see “Managing Keys and Certificates,” on page 379 or the Nortel Wireless Security Switch Installation and Basic Configuration Guide.)

If you choose to install a self-signed Web-based AAA certificate, use a common name (a required field in the certificate), that resembles a web address and contains at least one dot. When WSS Software serves the login page to the browser, the page’s URL is based on the common name in the Web-based AAA certificate.

Here are some examples of common names in the recommended format:

webaaa.login

webaaa.customername.com

webaaa.local

Here are some examples of common names that are not in the recommended format:

webaaa

trpz_webaaa

web

DNS must be configured. Configure the primary DNS server, and secondary servers if applicable (set ip dns server command). Also configure the default domain name (set ip dns domain command), and enable DNS (set ip dns enable command). By default, DNS is disabled and none of its parameters are configured.

User VLAN—The user’s VLAN must be statically configured on the WSS switch, and an IP interface must be configured on the VLAN. The interface must be in the subnet on which the DHCP server will place the user. (To configure a VLAN, see “Configuring and Managing VLANs” on page 88.)

Fallthru authentication type—The fallthru authentication type for each SSID and wired authentication port that you want to support Web-based AAA, must be set to web-portal. This is the default fallthru authentication type for SSIDs but not for wired authentication ports.

To set the fallthru authentication type for an SSID, set it in the service profile for the SSID, using the set service-profile auth-fallthru command. To set it on a wired authentication port, use the auth-fall-thru web-portal parameter of the set port type wired-auth command.

Portal users—For each SSID, a web-portal-ssiduser must be configured, and the VLAN-Name and Filter-Id attributes must be configured. The VLAN-Name attribute must be set to the VLAN on which you want to place users of the SSID. The Filter-Id attribute must map the ACL web to the web-portal-ssiduser, on the inbound traffic direction. (The name web is the default name of the ACL created for portal Web-based AAA.)

You can create the web-portal-ssiduser in the local database, on RADIUS servers, or both. A Web-based AAA authentication rule can use either or both of these authentication and authorization methods.

320657-A

Page 429 Page 431
Page 430
Image 430
Nortel Networks 2300 manual Web-based AAA Requirements and Recommendations, WSS Requirements
Page 429 Page 431
Top Page Image Contents