D-Link DWS-1008 User Manual
6. MSS authenticates the user by checking RADIUS or the switch’s local database for the
username and password entered by the user. If the user information is present, MSS
authorizes the user based on the authorization attributes set for the user.
Note: MSS ignores the VLAN-Name or Tunnel-Private-Group-ID attribute associated with
the user, and leaves the user in the VLAN associated with the SSID’s service profile (if
wireless) or with the
web-portal-wired user (if the user is on a wired authentication port).
7. After authentication and authorization are complete, MSS changes the user’s session
from a portal session with the name
web-portal
-ssid
or
web-portal-wired to a
WebAAA session with the user’s name. The session remains connected, but is now an
identity-based session for the user instead of a portal session.
8. MSS redirects the browser to the URL initially requested by the user or, if the URL VSA is
configured for the user, redirects the user to the URL specified by the VSA.
9. The web page for the URL to which the user is redirected appears in the user’s browser
window.
Display of the Login Page
When a WebAAA client first tries to access a web page, the client’s browser sends a DNS request
to obtain the IP address mapped to the domain name requested by the client’s browser. The switch
proxies this DNS request to the network’s DNS server, then proxies the reply back to the client. If the
DNS server has a record for the requested URL, the request is successful and the switch serves a web
login page to the client. However, if the DNS request is unsuccessful, the switch displays a message
informing the user of this and does not serve the login page.
If the switch does not receive a reply to a client’s DNS request, the switch spoofs a reply to the browser
by sending the switch’s own IP address as the resolution to the browser’s DNS query. The switch also
serves the web login page. This behavior simplifies use of the WebAAA feature in networks that do not
have a DNS server. However, if the requested URL is invalid, the behavior gives the appearance that the
requested URL is valid, since the browser receives a login page. Moreover, the browser might cache a
mapping of the invalid URL to the switch IP address.
If the user enters an IP address, most browsers attempt to contact the IP address directly without using
DNS. Some browsers even interpret numeric strings as IP addresses (in decimal notation) if a valid
address could be formed by adding dots (dotted decimal notation). For example, 208194225132 would
be interpreted as a valid IP address, when converted to 208.194.225.132.
WebAAA Requirements and Recommendations
Note: MSS Version 5.0 does not require or support special user web-portal-
ssid
, where
ssid
is the
SSID the Web-Portal user associates with. Previous MSS Versions required this special user for Web-
Portal configurations. Any
web-portal-ssid users are removed from the configuration during upgrade
to MSS Version 5.0. However, the
web-portal-wired user is still required for Web Portal on wired
authentication ports.
Summary of Contents for DWS-1008
Page 1: ......