Table of Contents
Advertisement
324
C
13: C
HAPTER
ONFIGURING
How the Location
Policy Differs from a
Security ACL
Setting the Location
Policy
AAA
N
U
FOR
ETWORK
SERS
Any authorization attributes not changed by the location policy remain
active.
Although structurally similar, the location policy and security ACLs have
different functions. The location policy on a WX switch can be used to
locally redirect a user to a different VLAN or locally control the traffic to
and from a user.
In contrast, security ACLs are packet filters applied to the user throughout
a Mobility Domain. (For more information, see Chapter 11, "Configuring
and Managing Security ACLs," on page 231.)
You can use the location policy to locally apply a security ACL to a user.
To enable the location policy function on a WX switch, you must create at
least one location policy rule with one of the following commands:
set location policy deny if
{ssid operator ssid-name | vlan operator vlan-glob | user
operator user-glob | port port-list | dap dap-num} [before
rule-number | modify rule-number]
set location policy permit
{vlan vlan-name | inacl inacl-name | outacl outacl-name}
if {ssid operator ssid-name | vlan operator vlan-glob | user
operator user-glob | port port-list | dap dap-num}
[before rule-number | modify rule-number]
Asterisks (wildcards) are not supported in SSID names. You must specify
the complete SSID name.
You must specify whether to permit or deny access, and you must
identify a VLAN, username, or access port to match. Use one of the
following operators to specify how the rule must match the VLAN or
username:
eq — Applies the location policy rule to all users assigned VLAN
names matching vlan-glob or having usernames that match user-glob.
(Like a user glob, a VLAN glob is a way to group VLANs for use in this
command. For more information, see "VLAN Globs" on page 25.)
neq — Applies the location policy rule to all users assigned VLAN
names not matching vlan-glob or having usernames that do not
match user-glob.
Advertisement
Table of Contents
