Manualshelf

WESM zl Management and Configuration Guide WT.01.03 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
471472473474475476477478479480
5-9
Web Authentication for Mobile Users
Overview
The Wireless Edge Services zl Module automatically permits certain station
traffic, even when the destination is not on the Allow list:
DHCP requests—The station must receive an IP address before it can
access the Web login page and authenticate.
Domain Name System (DNS) requests—The station must attempt to
reach a valid IP address in order for the Wireless Edge Services zl Module
to redirect the browser to the login page. The DNS requests allows the
station’s Web browser to resolve a Web site URL to a valid IP address.
So you do not need to add the IP addresses of your DHCP and DNS servers to
the allow list.
The only necessary IP address on the Allow list is that of the Web server—
when you store the Web-Auth login, welcome, and failed pages on an external
Web server. On the other hand, if these pages are stored on the Wireless Edge
Services zl Module, you do not have to add the module’s IP address to the
Allow list. In fact, to protect management access to the module, you should
not.
You can add a maximum of 10 IP addresses to the Allow list.
Creating a VLAN Interface for the Web-Auth VLAN
The Wireless Edge Services zl Module requires an IP address on the static
VLAN to which the Web-Auth WLAN maps. See Chapter 6: “IP Services—IP
Settings, DHCP, and DNS” for information on creating the VLAN interface and
assigning it an IP address.
You can apply access control lists (ACLs) to the VLAN interface in order to
continue to control traffic from the wireless stations, even after they authen-
ticate. You can also apply dynamic Network Address Translation (NAT) to
traffic from wireless users, protecting the IP addresses used in your private
network. (See Chapter 7: “Access Control Lists (ACLs)” and Chapter 8: “Con-
figuring Network Address Translation (NAT).”)
You can also, if you so desire, you can have the module place users in dynamic
VLANs after they authenticate. With Web-Auth, however, stations initially
receive IP addresses in the static VLAN. To allow stations to receive IP
addresses in the dynamic VLAN after users authenticate, set the lease time in
the DHCP configuration for the static VLAN very low.