204AAA Commands

vlan operator vlan- VLAN-Name attribute assigned by AAA and condition by which to

wildcarddetermine if the location policy rule applies. Replace operator with one of the following operands:

eq—Applies the location policy rule to all users assigned VLAN names matching vlan-wildcard.

neq—Applies the location policy rule to all users assigned VLAN names not matching vlan-wildcard.

For vlan-wildcard, specify a VLAN name, use the double-asterisk wildcard character (**) to specify all VLAN names, or use the single- asterisk wildcard character (*) to specify a set of VLAN names up to or following the first delimiter character, either an at sign (@) or a period (.). (For details, see “VLAN Wildcards” on page 13.)

user operator user-

Username and condition by which to determine if the location policy rule

wildcard

applies. Replace operator with one of the following operands:

eq—Applies the location policy rule to all usernames

matching user-wildcard.

neq—Applies the location policy rule to all usernames

not matching user-wildcard.

 

For user-wildcard, specify a username, use the double-asterisk wildcard

 

character (**) to specify all usernames, or use the single-asterisk wildcard

 

character (*) to specify a set of usernames up to or following the first

 

delimiter character, either an at sign (@) or a period (.). (For details, see

 

“User Wildcards” on page 12.)

before rule-number

Inserts the new location policy rule in front of another rule in the location

 

policy. Specify the number of the existing location policy rule. (To

 

determine the number, use the show location policy command.)

modify rule-number

Replaces the rule in the location policy with the new rule. Specify the

 

number of the existing location policy rule. (To determine the number, use

 

the show location policy command.)

port port-list

List of physical port(s) by which to determine if the location policy rule

 

applies.

Defaults By default, users are permitted VLAN access and assigned security ACLs according to the VLAN-Name and Filter-Id attributes applied to the users during normal authentication and authorization.

Access Enabled.

Usage Only a single location policy is allowed per WSS. The location policy can contain up to 150 rules. Once configured, the location policy becomes effective immediately. To disable location policy operation, use the clear location policy command.

Conditions within a rule are ANDed. All conditions in the rule must match in order for WSS Software to take the specified action. If the location policy contains multiple rules, WSS Software compares the user information to the rules one at a time, in the order the rules appear in the switch’s configuration file, beginning with the rule at the top of the list. WSS Software continues comparing until a user matches all conditions in a rule or until there are no more rules.

The order of rules in the location policy is important to ensure users are properly granted or denied access. To position rules within the location policy, use before rule-numberand modify rule-numberin the set location policy command,

and the clear location policy rule-numbercommand.

When applying security ACLs:

NN47250-100 (Version 02.51)

Page 204
Image 204
Nortel Networks 2300 Series manual Eq-Applies the location policy rule to all usernames, Show location policy command