458Configuring AAA for Network Users

Setting the Location Policy

To enable the location policy function on an WSS switch, you must create at least one location policy rule with one of the following commands:

set location policy deny if {ssid operator ssid-namevlan operator vlan-wildcarduser operator user-wildcardport port-listdap dap-num}

[before rule-number modify rule-number]

set location policy permit {vlan vlan-nameinacl inacl-nameoutacl outacl-name}if {ssid operator ssid-namevlan operator vlan-wildcarduser operator user-wildcardport port-listdap dap-num}

[before rule-number modify rule-number]

Note. Asterisks (wildcards) are not supported in SSID names. You must specify the complete SSID name.

You must specify whether to permit or deny access, and you must identify a VLAN, username, or access point to match. Use one of the following operators to specify how the rule must match the VLAN or username:

eq—Applies the location policy rule to all users assigned VLAN names matching vlan-wildcardor having usernames that match user-wildcard.

(Like a user wildcard, a VLAN wildcard is a way to group VLANs for use in this command. For more information, see “VLAN Wildcards” on page 40.)

neq—Applies the location policy rule to all users assigned VLAN names not matching vlan-wildcardor having usernames that do not match user-wildcard.

For example, the following command denies network access to all users matching *.theirfirm.com, causing them to fail authorization:

23x0# set location policy deny if user eq *.theirfirm.com

The following command authorizes access to the guest_1 VLAN for all users who do not match *.ourfirm.com:

23x0# set location policy permit vlan guest_1 if user neq *.ourfirm.com

The following command places all users who are authorized for SSID tempvendor_a into VLAN kiosk_1:

23x0# set location policy permit vlan kiosk_1 if ssid eq tempvendor_a

success: change accepted.

Applying Security ACLs in a Location Policy Rule

When reassigning security ACL filters, specify whether the filter is an input filter or an output filter, as follows:

Input filter—Use inacl inacl-nameto filter traffic that enters the switch from users through an AP access point or wired authentication port, or from the network through a network port.

Output filter—Use outacl outacl-nameto filter traffic sent from the switch to users through an AP access point or wired authentication port, or from the network through a network port.

320657-A

Page 457 Page 459
Page 458
Image 458
Nortel Networks 2300 manual Setting the Location Policy, Applying Security ACLs in a Location Policy Rule
Page 457 Page 459
Top Page Image Contents