Open as PDF
502 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERS
The following command places all users who are authorized for SSID
tempvendor_a into VLAN kiosk_1:
set location policy permit vlan kiosk_1 if ssid eq
success: change accepted.
Applying Security ACLs in a Location Policy Rule
When reassigning security ACL filters, specify whether the filter is an
input filter or an output filter, as follows:
Input filter — Use inacl inacl-name to filter traffic that enters the
switch from users via a MAP access port or wired authentication port,
or from the network via a network port.
Output filter — Use outacl outacl-name to filter traffic sent from the
switch to users via a MAP access port or wired authentication port, or
from the network via a network port.
For example, the following command authorizes users at
*.ny.ourfirm.com to access the bld4.tac VLAN, and applies the security
ACL tac_24 to the traffic they receive:
WX1200# set location policy permit vlan bld4.tac outacl
tac_24 if user eq *.ny.ourfirm.com
The following command authorizes access to users on VLANs with names
matching bld4.* and applies security ACLs svcs_2 to the traffic they send
and svcs_3 to the traffic they receive:
WX1200# set location policy permit inacl svcs_2
outacl svcs_3 if vlan eq bldg4.*
You can optionally add the suffixes .in and .out to inacl-name and
outacl-name for consistency with their usage in entries stored in the local
Displaying and Positioning Location Policy Rules
The order of location policy rules is significant. MSS checks a location
policy rule that is higher in the list before those lower in the list. Rules are
listed in the order in which you create them, unless you move them.
To position location policy rules within the location policy, use before
rule-number and modify rule-number in the set location policy
command, or use the clear location policy rule-number command.