432Configuring AAA for Network Users

Portal ACL and User ACLs

The ACL that WSS Software creates automatically for the web-portal-ssidand web-portal-wiredusers applies only when a user’s session is in the portal state. After the user is authenticated and authorized, the ACL is no longer applicable.

To modify a user’s access while the user is still being authenticated and authorized, modify the ACL mapped to the web-portal-ssidor web-portal-wireduser. To modify a Web-based AAA user’s access after the user is authenticated and authorized, map an ACL to the individual Web-based AAA user. Changes you make to the ACL mapped to the web-portal-ssidor web-portal-wireduser do not affect user access after authentication and authorization are complete.

You do not need to make any configuration changes to the portal ACL. However, you can add ACEs to it if desired. For example, if you want to allow the user to access a credit card server while WSS Software is still authenticating and authorizing the user, you can add a permit ACE to the portal ACL. Do not change the ACEs that are already in the ACL, and make sure the last ACE in the ACL is the deny ACE that captures all traffic.

WSS Recommendations

Consider installing a Web-based AAA certificate signed by a trusted CA, instead of one signed by the WSS switch itself. Unless the client’s browser is configured to trust the signature on the switch’s Web-based AAA certificate, display of the login page can take several seconds longer than usual, and might be interrupted by a dialog asking the user what to do about the untrusted certificate. Generally, the browser is already configured to trust certificates signed by a CA.

Do not configure the service profile that manages the SSID to use WPA encryption with pre-shared keys (PSK). These options are configurable together but are not compatible. Web-based AAA traffic is not encrypted, whereas the PSK four-way handshake requires a client to already be authenticated and for encryption to be in place.

Client NIC Requirements

Configure the NIC to use DHCP to obtain its IP address. Web-based AAA does not support statically assigned IP addresses.

Client Web Browser Requirements

Do not configure an HTTPS proxy. Web-based AAA does not work if the browser has an HTTPS proxy enabled.

Client Web Browser Recommendations

Use a well-known browser, such as Internet Explorer (Windows), Firefox (Mozilla-based), or Safari (Macintosh)

If the Web-based AAA certificate on the WSS switch is self-signed, configure the browser to trust the signature by installing the certificate on the browser, so that the browser does not display a dialog about the certificate each time the user tries to log on.

320657-A

Page 431 Page 433
Page 432
Image 432
Nortel Networks 2300 manual WSS Recommendations, Client NIC Requirements, Client Web Browser Requirements
Page 431 Page 433
Top Page Image Contents