Nortel 2350 用户指南
534 Configuring AAA for network users
NN47250-500 (320657-F Version 02.01)
Keeping users on the same VLAN even after roaming
In some cases, a user can be assigned to a different VLAN after roaming to another WSS.
can be assigned to a user after roaming from one WSS to another.
Yes in the table means the VLAN is set on the roamed-to WSS, by the mechanism indicated by the column header. No
means the VLAN is not set. Yes or No means the mechanism does not affect the outcome, due to another mechanism that
is set.
means the VLAN is not set. Yes or No means the mechanism does not affect the outcome, due to another mechanism that
is set.
The VLAN Assigned By column indicates the mechanism that is used by the roamed-to switch to assign the VLAN, based
on the various ways the VLAN is set on that switch.
on the various ways the VLAN is set on that switch.
•
Location Policy means the VLAN is assigned by a location policy on the roamed-to switch. (The VLAN is assigned
by the vlan vlan-id option of the set location policy permit command.)
by the vlan vlan-id option of the set location policy permit command.)
•
AAA means the Vlan-name attribute is set on for the user or the user’s group, in the roamed-to switch’s local
database or on a RADIUS server used by the roamed-to switch to authenticate the user. (The VLAN is assigned by
the vlan-name vlan-id option of the set user attr, set usergroup attr, set mac-user, or set mac-usergroup
command.)
database or on a RADIUS server used by the roamed-to switch to authenticate the user. (The VLAN is assigned by
the vlan-name vlan-id option of the set user attr, set usergroup attr, set mac-user, or set mac-usergroup
command.)
•
keep-initial-vlan means that the VLAN is not reassigned. Instead, the VLAN assigned on the switch where the user
first accesses the network is retained. (The keep-initial-vlan option is enabled by the set service-profile name
keep-initial-vlan enable command, entered on the roamed-to switch. The name is the name of the service profile
for the SSID the user is associated with.)
first accesses the network is retained. (The keep-initial-vlan option is enabled by the set service-profile name
keep-initial-vlan enable command, entered on the roamed-to switch. The name is the name of the service profile
for the SSID the user is associated with.)
•
SSID means the VLAN is set on the roamed-to switch, in the service profile for the SSID the user is associated with.
(The Vlan-name attribute is set by the set service-profile name attr vlan-name vlan-id command, entered on the
roamed-to switch. The name is the name of the service profile for the SSID the user is associated with.)
(The Vlan-name attribute is set by the set service-profile name attr vlan-name vlan-id command, entered on the
roamed-to switch. The name is the name of the service profile for the SSID the user is associated with.)
•
As shown in
, even when keep-initial-vlan is set, a user’s VLAN can be reassigned by AAA or a location
policy.
Table 6: VLAN assignment after roaming from one WSS to another
Location
Policy
Policy
AAA
keep-initial-vlan
SSID
VLAN Assigned By...
Yes
Yes or
No
No
Yes or No
Yes or No
location policy
No
Yes
Yes or No
Yes or No
AAA
No
No
Yes
Yes or No
keep-initial-vlan
No
No
No
Yes
SSID
No
No
No
No
Not set—
authentication error
authentication error
Note.
The keep-initial-vlan option does not apply to Web-Portal clients. Instead, VLAN
assignment for roaming Web-Portal clients automatically works the same way as when
keep-initial-vlan is enabled. The VLAN initially assigned to a Web-Portal user is not
changed except by a location policy, AAA, or SSID default setting on the roamed-to switch.
keep-initial-vlan is enabled. The VLAN initially assigned to a Web-Portal user is not
changed except by a location policy, AAA, or SSID default setting on the roamed-to switch.