Configuring AAA for network users 497Nortel WLAN—Security Switch 2300 Series Configuration GuideWeb-based AAA requirements and recommendationsWSS requirements• Web-based AAA certificate—A Web-based AAA certificate must be installed on the switch. You can use aself-signed (signed by the WSS) Web-based AAA certificate automatically generated by WSS Software, manuallygenerate a self-signed one, or install one signed by a trusted third-party certificate authority (CA). (For moreinformation, see “Managing keys and certificates” (page 443).)If you choose to install a self-signed Web-based AAA certificate, use a common name (a required field inthe certificate), that resembles a web address and contains at least one dot. When WSS Software servesthe login page to the browser, the page’s URL is based on the common name in the Web-based AAAcertificate.Here are some examples of common names in the recommended format:• web-based aaa.login• web-based aaa.customername.com• portal.localHere are some examples of common names that are not in the recommended format:• web-based aaa• nrtl_webaaa• webportal• User VLAN—An IP interface must be configured on the user’s VLAN. The interface must be in the subnet onwhich the DHCP server will place the user, so that the switch can communicate with both the client and the client’spreferred DNS server. (To configure a VLAN, see “Configuring and managing VLANs” (page 103).)If users will roam from the switch where they connect to the network to other WSSs, the system IPaddresses of the switches should not be in the web-portal VLAN.Although the SSID’s default VLAN and the user VLAN must be the same, you can use a location policyon the switch where the service profile is configured to move the user to another VLAN. The other VLANis not required to be statically configured on the switch. The VLAN does have the same requirements asother user VLANs, as described above. For example, the user VLAN on the roamed-to switch must havean IP interface, the interface must be in the subnet that has DHCP, and the subnet must be the same onethe DHCP server will place the user in.Note. WSS Software Version 5.0 does not require or support special userweb-portal-ssid, where ssid is the SSID the Web-Portal user associates with. PreviousWSS Software Versions required this special user for Web-Portal configurations. Anyweb-portal-ssid users are removed from the configuration during upgrade to WSSSoftware Version 5.0. However, the web-portal-wired user is still required for Web Portalon wired authentication ports.