464 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS Fallthru authentication type—The fallthru authentication type for eachSSID and wired authentication port that you want to supportWebAAA, must be set to web-portal. The default authenticationtype for wired authentication ports and for SSIDs is None (no fallthruauthentication is used).To set the fallthru authentication type for an SSID, set it in the serviceprofile for the SSID, using the set service-profile auth-fallthrucommand. To set it on a wired authentication port, use the auth-fall-thruweb-portal parameter of the set port type wired-auth command. Authorization attributes—Wireless Web-Portal users get theirauthorization attributes from the SSID’s service profile. To assignwireless Web-Portal users to a VLAN, use the set service-profilename attr vlan-name vlan-id command.Web-Portal users on wired authentication ports get their authorizationattributes from the special user web-portal-wired. To assign wiredWeb-Portal users to a VLAN, use the set user web-portal-wired attrvlan-name vlan-id command. By default, web-portal-wired usersare assigned to the default VLAN. Portal ACL (created by MSS automatically)—The portalacl ACLcaptures all the portal user’s traffic except for DHCP traffic. Theportalacl has the following ACEs:set security acl ip portalacl permit udp 0.0.0.0255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67set security acl ip portalacl deny 0.0.0.0 255.255.255.255captureMSS automatically creates the portalacl ACL the first time you set thefallthru authentication type on any service profile or wired authenticationport to web-portal. The ACL is mapped to wireless Web-Portal users through the serviceprofile. When you set the fallthru authentication type on a serviceprofile to web-portal, portalacl is set as the Web-Portal ACL. The ACLis applied to a Web-Portal user’s traffic when the user associates withthe service profile’s SSID. The ACL is mapped to Web-Portal users on a wired-authenticationport by the Filter-id.in attribute configured on the web-portal-wireduser. When you set the fallthru authentication type on a wiredauthentication port to web-portal, MSS creates the web-portal-wireduser. MSS sets the filter-id attribute on the user to portalacl.in.
