Open as PDF
500 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
About the Location
Each WX switch can have one location policy. The location policy consists of
a set of rules. Each rule contains conditions, and an action to perform if all
conditions in the rule match. The location policy can contain up to 50 rules.
The action can be one of the following:
Deny access to the network
Permit access, but set or change the user’s VLAN assignment, inbound
ACL, outbound ACL, or any combination of these attributes
The conditions can be one or more of the following:
MAP access port, Distributed MAP number, or wired authentication
port through which the user accessed the network
SSID name with which the user is associated
Conditions within a rule are ANDed. All conditions in the rule must match
in order for MSS to take the specified action. If the location policy
contains multiple rules, MSS compares the user information to the rules
one at a time, in the order the rules appear in the switch’s configuration
file, beginning with the rule at the top of the list. MSS continues
comparing until a user matches all conditions in a rule or until there are
no more rules.
Any authorization attributes not changed by the location policy remain
How the Location
Policy Differs from a
Although structurally similar, the location policy and security ACLs have
different functions. The location policy on a WX switch can be used to
locally redirect a user to a different VLAN or locally control the traffic to
and from a user.
In contrast, security ACLs are packet filters applied to the user throughout
a Mobility Domain. (For more information, see Chapter 19, “Configuring
and Managing Security ACLs,” on page 377.)
You can use the location policy to locally apply a security ACL to a user.