Table of Contents
Advertisement
Overriding or Adding Attributes Locally with a Location Policy
For example, the following command denies network access to all users
matching *.theirfirm.com, causing them to fail authorization:
WX1200# set location policy deny if user eq *.theirfirm.com
The following command authorizes access to the guest_1 VLAN for all
users who do not match *.ourfirm.com:
WX1200# set location policy permit vlan guest_1 if user neq
*.ourfirm.com
The following command places all users who are authorized for SSID
tempvendor_a into VLAN kiosk_1:
WX1200#
set location policy permit vlan kiosk_1 if ssid eq
tempvendor_a
success: change accepted.
Applying Security ACLs in a Location Policy Rule
When reassigning security ACL filters, specify whether the filter is an
input filter or an output filter, as follows:
Input filter — Use inacl inacl-name to filter traffic that enters the
switch from users via a MAP access port or wired authentication port,
or from the network via a network port.
Output filter — Use outacl outacl-name to filter traffic sent from the
switch to users via a MAP access port or wired authentication port, or
from the network via a network port.
For example, the following command authorizes users at
*.ny.ourfirm.com to access the bld4.tac VLAN, and applies the security
ACL tac_24 to the traffic they receive:
WX1200# set location policy permit vlan bld4.tac outacl
tac_24 if user eq *.ny.ourfirm.com
The following command authorizes access to users on VLANs with names
matching bld4.* and applies security ACLs svcs_2 to the traffic they send
and svcs_3 to the traffic they receive:
WX1200# set location policy permit inacl svcs_2
outacl svcs_3 if vlan eq bldg4.*
You can optionally add the suffixes .in and .out to inacl-name and
outacl-name for consistency with their usage in entries stored in the local
WX database.
325
Advertisement
Table of Contents
