Configuring AAA for Network Users 431

The web ACL is created automatically by WSS Software, and has the following ACEs:

set security acl ip portalacl.in permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67

set security acl ip portalacl.in deny 0.0.0.0 255.255.255.255 capture

Caution! If you do not use the Filter-Id attribute to map the portal ACL to the inbound traffic direction of the web-portal-ssidand web-portal-wiredusers, the Web-based AAA users are placed into the VLAN associated with the web-portal-ssidor web-portal-wireduser, without any filters.

For wired authentication ports, create a web-portal-wireduser and configure the VLAN-Name and Filter-Id attributes as described above. The VLAN-Name must be the user’s VLAN and the Filter-Id attribute must map the web ACL created by WSS Software to the inbound traffic direction.

Note. Portal Web-based AAA does not assign a user to a VLAN based on the VLAN-Name or Tunnel-Private-Group-ID authorization attribute set for the user. WSS Software ignores these attributes and leaves the user in the VLAN assigned to the web-portal-ssidor web-portal-wireduser.

Web-based AAA users—Information for the username that will be entered for login must be configured in the local database or on a RADIUS server. You can configure authorization attributes for the Web-based AAA user. However, the VLAN-Name or Tunnel-Private-Group-ID attribute is ignored. The optional VSAs include url, which redirects an authenticated user to a URL other than the one they were attempting to access when they logged on.

To configure user information in the local database, use the set user and set user username attr commands. To configure user groups and set attributes on a group basis, use the set user username group and set usergroup commands.

Authentication rules—A last-resort authentication rule must be configured for each web-portal-ssiduser and the web-portal-wireduser, if configured. The last-resort rule specifies the authentication method (local database or RADIUS server group) to use for the part of the session during which the user is waiting to be authenticated and authorized.

In addition, a web authentication rule must be configured for the Web-based AAA users. Whereas the last-resort rule matches on the web-portal-ssidor web-portal-wireduser, the web rule must match on the username the Web-based AAA user will enter on the Web-based AAA login page. The web rule also must match on the SSID the user will use to access the network. If the user will access the network on a wired authentication port, the rule must match on wired.

To configure authentication rules, use the set authentication web and set authentication last-resortcommands.

Portal Web-based AAA must be enabled, using the set web-aaacommand. The feature is enabled by default.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 431
Image 431
Nortel Networks 2300 manual Configuring AAA for Network Users