Aruba IAP-335 User Manual page 137

You can configure up to 128 access rules for guest user roles through the Instant UI or the CLI.
In the Instant UI
To configure roles and access rules for the guest network:
1. On the Access Rules tab, set the slider to any of the following types of access control:
Unrestricted—Select this to set unrestricted access to the network.
l
Network-based—Set the slider to Network-based to set common rules for all users in a network. The
l
Allow any to all destinations access rule is enabled by default. This rule allows traffic to all
destinations. To define an access rule:
a. Click New.
b. Select appropriate options in the New Rule window.
c. Click OK.
Role-based—Select Role-based to enable access based on user roles.
l
For role-based access control:
Create a user role if required. For more information, see
n
Create access rules for a specific user role. For more information, see
n
Network Services on page
authentication for an SSID with the 802.1X authentication method. For more information, see
Configuring Captive Portal Roles for an SSID on page
Create a role assignment rule. For more information, see
n
Instant supports role derivation based on the DHCP option for captive portal authentication. When
the captive portal authentication is successful, a new user role is assigned to the guest users based on
DHCP option configured for the SSID profile instead of the pre-authenticated role.
2. Click Finish.
In the CLI
To configure access control rules for a WLAN SSID:
(Instant AP)(config)# wlan access-rule <name>
(Instant AP)(Access Rule <name>)# rule <dest> <mask> <match> {<protocol> <start-port> <end-
port> {permit|deny|src-nat|dst-nat{<IP-address> <port>|<port>}}| app <app> {permit|deny}|
appcategory <appgrp>|webcategory <webgrp> {permit|deny}|webreputation <webrep>
[<option1....option9>]
(Instant AP)(Access Rule <name>)# end
(Instant AP)# commit apply
To configure access control rules based on the SSID:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role-by-ssid
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To configure role assignment rules:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role <attribute>{{equals|not-equals|starts-with|ends-
with|contains|matches-regular-expression}<operator><role>|value-of}
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To configure a pre-authentication role:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role-pre-auth <role>
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
182. You can also configure an access rule to enforce captive portal
Configuring User Roles.
Configuring ACL Rules for
138.
Configuring Derivation Rules on page
Captive Portal for Guest Access |
201.
137