Table of Contents
Advertisement
interface point on the WM-AD. These filters are applied after the user's specific WM-AD state
assigned filters.
Non-authenticated filter with filtering rules that apply before authentication - Controls network
access and to direct users to a Captive Portal Web page for login.
Group filters, by filter ID, for designated user groups - Controls access to certain areas of the
network, with values that match the values defined for the RADIUS filter ID attribute.
Default filter - Controls access if there is no matching filter ID for a user.
Within each type of filter, define a sequence of filtering rules. The filtering rule sequence must be
arranged in the order that you want them to take effect. Each rule is defined to allow or deny traffic in
either direction:
In - From a wireless device in to the network
Out - From the network out to a wireless device
Final filter rule
The final rule in any filter should act as a catch-all for any traffic that did not match a filter. This final
rule should either allow all or deny all traffic, depending on the requirements for network access. For
example, the final rule in a non-authenticated filter for Captive Portal is typically deny all. A final allow
all rule in a default filter will ensure that a packet is not dropped entirely if no other match can be
found.
A default rule of deny all is automatically created by the system for initial filter definitions. The
administrator can change the action to allow all. However, a default filter rule cannot be removed. Since
a default filter rule provides a catch-all default behavior for packet handling, all applicable user defined
filter rules must be defined prior to this rule.
Each rule can be based on any one of the following:
Destination IP address or any IP address within a specified range that is on the network subnet (as a
wildcard)
Destination ports, by number and range
Protocols (UDP, TCP, etc.)
Filtering sequence
The filtering sequence depends on the type of authentication used:
No authentication (network assignment by SSID)
Only the default filter will apply. Specific network access can be defined.
Authentication by captive portal (network assignment by SSID)
The non-authenticated filter will apply before authentication. Specific network access can be defined.
The filter should also include a rule to allow DNS requests and all users to get as far as the Captive
Portal Web page where the user can enter login identification for authentication. When
authentication is returned, the filter ID group filters are applied. If no filter ID matches are found,
then the default filter is applied. The filter ID group is an optional behavior specification. If a filter
ID is not returned, or an invalid one is returned, the default filter group is applied.
Authentication by AAA (802.1X)
Summit WM User Guide, Software Version 5.3
147
Advertisement
Table of Contents
