Nortel 2350 用户指南
Configuring AAA for network users 499
Nortel WLAN—Security Switch 2300 Series Configuration Guide
•
Authentication rules—A web authentication rule must be configured for the Web-based AAA users. The web rule
must match on the username the Web-based AAA user will enter on the Web-based AAA login page. (The match
can be on a userglob or individual username.) The web rule also must match on the SSID the user will use to access
the network. If the user will access the network on a wired authentication port, the rule must match on wired.
must match on the username the Web-based AAA user will enter on the Web-based AAA login page. (The match
can be on a userglob or individual username.) The web rule also must match on the SSID the user will use to access
the network. If the user will access the network on a wired authentication port, the rule must match on wired.
To configure authentication rules, use the set authentication web command.
•
Web Portal Web-based AAA must be enabled, using the set web-portal command. The feature is enabled by
default.
default.
Portal ACL and user ACLs
The portalacl ACL, which WSS Software creates automatically, applies only when a user’s session is in the portal state.
After the user is authenticated and authorized, the ACL is no longer applicable.
After the user is authenticated and authorized, the ACL is no longer applicable.
To modify a user’s access while the user is still being authenticated and authorized, you can configure another ACL and
map that ACL instead to the service profile or the web-portal-wired user. Make sure to use the capture option for
traffic you do not want to allow. Nortel recommends that you do not change the portalacl ACL. Leave the ACL as a
backup in case you need to refer to it or you need to use it again.
map that ACL instead to the service profile or the web-portal-wired user. Make sure to use the capture option for
traffic you do not want to allow. Nortel recommends that you do not change the portalacl ACL. Leave the ACL as a
backup in case you need to refer to it or you need to use it again.
For example, if you want to allow the user to access a credit card server while WSS Software is still authenticating and
authorizing the user, create a new ACL, add ACEs that are the same as the ACEs in portalacl, and add a new ACE
before the last one, to allow access to the credit card server. Make sure the last ACE in the ACL is the deny ACE that
captures all traffic that is not allowed by the other ACEs.
authorizing the user, create a new ACL, add ACEs that are the same as the ACEs in portalacl, and add a new ACE
before the last one, to allow access to the credit card server. Make sure the last ACE in the ACL is the deny ACE that
captures all traffic that is not allowed by the other ACEs.
To modify a Web-based AAA user’s access after the user is authenticated and authorized, map an ACL to the individual
Web-based AAA user. Changes you make to the ACL mapped to the service profile or web-portal-wired user do not
affect user access after authentication and authorization are complete.
Web-based AAA user. Changes you make to the ACL mapped to the service profile or web-portal-wired user do not
affect user access after authentication and authorization are complete.
Caution!
Without the Web-Portal ACL, Web-based AAA users will be placed on the
network without any filters.
Caution!
Do not change the deny rule at the bottom of the Web-Portal ACL. This rule
must be present and the capture option must be used with the rule. If the rule does not
have the capture option, the Web Portal user never receives a login page. If you need to
modify the Web-Portal ACL, create a new one instead, and modify the service profile or
web-portal-wired user to use the new ACL. (See
have the capture option, the Web Portal user never receives a login page. If you need to
modify the Web-Portal ACL, create a new one instead, and modify the service profile or
web-portal-wired user to use the new ACL. (See
.)
Note.
The filter-id attribute in a service profile applies only to authenticated users. If this
attribute is set in a service profile for an SSID accessed by Web-Portal users, the attribute
applies only after users have been authenticated. While a Web-Portal user is still being
authenticated, the ACL set by the web-portal-acl applies instead.
applies only after users have been authenticated. While a Web-Portal user is still being
authenticated, the ACL set by the web-portal-acl applies instead.