Nortel 2350 用户指南
Configuring AAA for network users 497
Nortel WLAN—Security Switch 2300 Series Configuration Guide
Web-based AAA requirements and recommendations
WSS requirements
•
Web-based AAA certificate—A Web-based AAA certificate must be installed on the switch. You can use a
self-signed (signed by the WSS) Web-based AAA certificate automatically generated by WSS Software, manually
generate a self-signed one, or install one signed by a trusted third-party certificate authority (CA). (For more
information, see
self-signed (signed by the WSS) Web-based AAA certificate automatically generated by WSS Software, manually
generate a self-signed one, or install one signed by a trusted third-party certificate authority (CA). (For more
information, see
If you choose to install a self-signed Web-based AAA certificate, use a common name (a required field in
the certificate), that resembles a web address and contains at least one dot. When WSS Software serves
the login page to the browser, the page’s URL is based on the common name in the Web-based AAA
certificate.
the certificate), that resembles a web address and contains at least one dot. When WSS Software serves
the login page to the browser, the page’s URL is based on the common name in the Web-based AAA
certificate.
Here are some examples of common names in the recommended format:
•
web-based aaa.login
•
web-based aaa.customername.com
•
portal.local
Here are some examples of common names that are not in the recommended format:
•
web-based aaa
•
nrtl_webaaa
•
webportal
•
User VLAN—An IP interface must be configured on the user’s VLAN. The interface must be in the subnet on
which the DHCP server will place the user, so that the switch can communicate with both the client and the client’s
preferred DNS server. (To configure a VLAN, see
which the DHCP server will place the user, so that the switch can communicate with both the client and the client’s
preferred DNS server. (To configure a VLAN, see
.)
If users will roam from the switch where they connect to the network to other WSSs, the system IP
addresses of the switches should not be in the web-portal VLAN.
addresses of the switches should not be in the web-portal VLAN.
Although the SSID’s default VLAN and the user VLAN must be the same, you can use a location policy
on the switch where the service profile is configured to move the user to another VLAN. The other VLAN
is not required to be statically configured on the switch. The VLAN does have the same requirements as
other user VLANs, as described above. For example, the user VLAN on the roamed-to switch must have
an IP interface, the interface must be in the subnet that has DHCP, and the subnet must be the same one
the DHCP server will place the user in.
on the switch where the service profile is configured to move the user to another VLAN. The other VLAN
is not required to be statically configured on the switch. The VLAN does have the same requirements as
other user VLANs, as described above. For example, the user VLAN on the roamed-to switch must have
an IP interface, the interface must be in the subnet that has DHCP, and the subnet must be the same one
the DHCP server will place the user in.
Note.
WSS Software Version 5.0 does not require or support special user
web-portal-ssid, where ssid is the SSID the Web-Portal user associates with. Previous
WSS Software Versions required this special user for Web-Portal configurations. Any
web-portal-ssid users are removed from the configuration during upgrade to WSS
Software Version 5.0. However, the web-portal-wired user is still required for Web Portal
on wired authentication ports.
WSS Software Versions required this special user for Web-Portal configurations. Any
web-portal-ssid users are removed from the configuration during upgrade to WSS
Software Version 5.0. However, the web-portal-wired user is still required for Web Portal
on wired authentication ports.