Manualshelf

WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
451452453454455456457458459460
5-9
Web Authentication for Mobile Users
Overview
The Wireless Edge Services zl Module automatically permits certain station traffic,
even when the destination is not on the Allow list:
DHCP requests—The station must receive an IP address before it can access
the Web login page and authenticate.
Domain Name System (DNS) requests—The station must attempt to reach a
valid IP address in order for the Wireless Edge Services zl Module to redirect
the browser to the login page. The DNS requests allows the station’s Web
browser to resolve a Web site URL to a valid IP address.
So you do not need to add the IP addresses of your DHCP and DNS servers to the
allow list.
The only necessary IP address on the Allow list is that of the Web server—when you
store the Web-Auth login, welcome, and failed pages on an external Web server. On
the other hand, if these pages are stored on the Wireless Edge Services zl Module,
you do not have to add the module’s IP address to the Allow list. In fact, to protect
management access to the module, you should not.
You can add a maximum of 10 IP addresses to the Allow list.
Creating a VLAN Interface for the Web-Auth VLAN
The Wireless Edge Services zl Module requires an IP address on the static VLAN to
which the Web-Auth WLAN maps. See Chapter 6: “IP Services—IP Settings, DHCP,
and DNS” for information on creating the VLAN interface and assigning it an IP
address.
You can apply access control lists (ACLs) to the VLAN interface in order to continue
to control traffic from the wireless stations, even after they authenticate. You can also
apply dynamic Network Address Translation (NAT) to traffic from wireless users,
protecting the IP addresses used in your private network. (See Chapter 7: “Access
Control Lists (ACLs)” and Chapter 8: “Configuring Network Address
Translation (NAT).”)
You can also, if you so desire, you can have the module place users in dynamic
VLANs after they authenticate. With Web-Auth, however, stations initially receive
IP addresses in the static VLAN. To allow stations to receive IP addresses in the
dynamic VLAN after users authenticate, set the lease time in the DHCP configuration
for the static VLAN very low.