3Com WX2200 3CRWX220095A Switch User Manual

Overriding or Adding Attributes Locally with a Location Policy 499
SSID means the VLAN is set on the roamed-to switch, in the service
profile for the SSID the user is associated with. (The Vlan-name
attribute is set by the set service-profile name attr vlan-name
vlan-id command, entered on the roamed-to switch. The name is the
name of the service profile for the SSID the user is associated with.)
As shown in Table 46, even when keep-initial-vlan is set, a user’s
VLAN can be reassigned by AAA or a location policy.
The keep-initial-vlan option does not apply to Web-Portal clients. Instead,
VLAN assignment for roaming Web-Portal clients automatically works the
same way as when keep-initial-vlan is enabled. The VLAN initially
assigned to a Web-Portal user is not changed except by a location policy,
AAA, or SSID default setting on the roamed-to switch.
To enable keep-initial-vlan, use the following command:
set service-profile name keep-initial-vlan {enable | disable}
Enter this command on the switch that will be roamed to by users.
The following command enables the keep-initial-vlan option on service
profile sp3:
WX1200# set service-profile sp3 keep-initial-vlan enable
success: change accepted.
Overriding or
Adding Attributes
Locally with a
Location Policy
During the login process, the AAA authorization process is started immediately
after clients are authenticated to use the WX switch. During authorization,
MSS assigns the user to a VLAN and applies optional user attributes, such as a
session timeout value and one or more security ACL filters.
A location policy is a set of rules that enables you to locally set or change
authorization attributes for a user after the user is authorized by AAA,
without making changes to the AAA server. For example, you might want
to enforce VLAN membership and security ACL policies on a particular
WX based on a client’s organization or physical location, or assign a
VLAN to users who have no AAA assignment. For these situations, you
can configure the location policy on the switch.
You can use a location policy to locally set or change the Filter-Id and
VLAN-Name authorization attributes obtained from AAA.