540 Configuring AAA for network users
NN47250-500 (320657-F Version 02.01)
Setting the location policy
To enable the location policy function on a WSS, you must create at least one location policy rule with one of the
following commands:
set location policy deny if {ssid operator ssid-name | vlan operator vlan-wildcard | user operator
user-wildcard | port port-list | ap ap-num}
[before rule-number | modify rule-number]
set location policy permit {vlan vlan-name | inacl inacl-name | outacl outacl-name} if {ssid
operator ssid-name | vlan operator vlan-wildcard | user operator user-wildcard | port port-list
| ap ap-num}
[before rule-number | modify rule-number]
You must specify whether to permit or deny access, and you must identify a VLAN, username, or access port to match.
Use one of the following operators to specify how the rule must match the VLAN or username:
• eq—Applies the location policy rule to all users assigned VLAN names matching vlan-wildcard or having
usernames that match user-wildcard.
(Like a user wildcard, a VLAN wildcard is a way to group VLANs for use in this command. For more
information, see “VLAN wildcards” (page 48).)
• neq—Applies the location policy rule to all users assigned VLAN names not matching vlan-wildcard or having
usernames that do not match user-wildcard.
For example, the following command denies network access to all users matching *.theirfirm.com, causing them to fail
authorization:
WSS# set location policy deny if user eq *.theirfirm.com
The following command authorizes access to the guest_1 VLAN for all users who do not match *.ourfirm.com:
WSS# set location policy permit vlan guest_1 if user neq *.ourfirm.com
The following command places all users who are authorized for SSID tempvendor_a into VLAN kiosk_1:
WSS# set location policy permit vlan kiosk_1 if ssid eq tempvendor_a
success: change accepted.
Applying security ACLs in a location policy rule
When reassigning security ACL filters, specify whether the filter is an input filter or an output filter, as follows:
• Input filter—Use inacl inacl-name to filter traffic that enters the switch from users via an AP access port or wired
authentication port, or from the network via a network port.
• Output filter—Use outacl outacl-name to filter traffic sent from the switch to users via an AP access port or wired
authentication port, or from the network via a network port.
Note. Asterisks (wildcards) are not supported in SSID names. You must specify the
complete SSID name.