MSM7xx Controllers Configuration Guide v6.4.0

ManualsBrandsHP ManualsNetwork HardwareHP 425 Wireless Dual Radio 802.11n (WW) Access Point

461

462

463

464

465

466

467

468

469

470

Tips on using the access list

With certificates

• If you replaced the default SSL certificate on the controller with one signed by a well-known

CA, you should define the access list to permit access to the CA certificate for all

non-authenticated users. This enables the users browser to verify that the certificate is valid

without displaying any warning messages.

• Users may have configured their Web browsers to check all SSL certificates against the

Certificate Revocation List (CRL) maintained by the CA that issued the certificate. The location

of the CRL may be configured in the browser, or embedded in the certificate. The access list

should be configured to permit access to the CRL, otherwise the users browser times out before

displaying the login page.

Remote login page

If you are using the remote login page feature, make sure that access to the Web server hosting

the login page is granted to all unauthenticated users via the site access list.

SMTP redirect

If an unauthenticated user establishes a connection to their E-mail server, the SMTP redirect feature

will not work once the user logs in. The users E-mail is still sent to the original E-mail server.

To avoid this, do not use an access list to open TCP port 25 for unauthenticated users.

Critical access list definitions (such as for a remote login page, certificates) should not use the

OPTIONAL setting because if these definitions fail to initialize there is no indication in the log.

Defining access lists

Access lists are defined by adding the following Colubris AV-Pair value string to the RADIUS profile

for a controller or to the local list (Public access > Attributes page).

access-list=value

Each value string defines one rule. Up to 99 rules can be defined for an access list.

All rules that make up an access list must be initialized without error for the list to be active. (You

can force the controller to ignore initialization errors on a rule-by-rule basis by using the OPTIONAL

parameter.)

You can define up to 32 access lists.

Activating site access lists

When an access list is activated on the controller, it applies to all access controlled user traffic

handled by the controller.

Access lists are activated by adding the following Colubris AV-Pair value string to the RADIUS

profile for a controller or to the local list (Public access > Attributes page).

use-access-list=uselistname

Only one access list can be active on the controller. This list must be initialized without an error.

It is possible to set an access list to apply only for unauthenticated users by specifying the following

value string:

use-access-list-unauth=uselistname

User access lists

Access lists can also be activated on a per-user basis by configuring the appropriate settings for

each user account. See “Access list” (page 484) for more information.

462 Working with RADIUS attributes