Specifications
8-42 AAA Commands
Theorderofrulesinthelocationpolicyisimportanttoensureusersareproperlygrantedor
deniedaccess.Topositionruleswithinthelocationpolicy,usebeforerule‐numberand
modify rule‐numberinthe setlocationpolicycommand,andtheclearlocationpolicyrule‐number
command.
WhenapplyingsecurityACLs:
•Useinaclinacl‐nametofiltertrafficthatenterstheswitchfromusersviaanAPaccessportor
wiredauthenticationport,orfromthenetworkviaanetworkport.
•Useoutacloutacl‐nametofiltertrafficsentfromtheswitchtousersviaanAPaccessportor
wiredauthentication
port,orfromthenetworkviaanetworkport.
•Youcanoptionallyaddthesuffixes.inand.outtoinacl‐nameandoutacl‐namesothatthey
matchthenamesofsecurityACLsstoredinthelocalRASdatabase.
Example
Thefollowingcommanddeniesnetworkaccesstoallusersat*.theirfirm.com,causingthemtofail
authorization:
RBT-8100# set location policy deny if user eq *.theirfirm.com
Thefollowingcommandauthorizesaccesstotheguest_1VLANforalluserswhoarenotat
*.wodefirm.com:
RBT-8100# set location policy permit vlan guest_1 if user neq *.wodefirm.com
Thefollowingcommandauthorizesusersat*.ny.ourfirm.comtoaccessthebld4.tacVLANinstead,
andappliesthesecurityACLtac_24tothetraffictheyreceive:
RBT-8100# set location policy permit vlan bld4.tac outacl tac_24 if user eq
*.ny.ourfirm.com
ThefollowingcommandauthorizesaccesstousersonVLANswithnamesmatchingbld4.*and
appliessecurityACLssvcs_2tothetraffictheysendandsvcs_3tothetraffictheyreceive:
RBT-8100# set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq
bldg4.*
Thefollowingcommandauthorizesusersenteringthe networkonRASports 3through7and
port 12tousethefloor2VLAN,overridinganysettingsfromAAA:
RBT-8100# set location policy permit vlan floor2 if port 3-7,12
ThefollowingcommandplacesalluserswhoareauthorizedforSSIDtempvendor_aintoVLAN
kiosk_1:
RBT-8100# set location policy permit vlan kiosk_1 if ssid eq tempvendor_a
success: change accepted.
Related Commands
• clearlocationpolicyonpage 8‐10
• showlocationpolicyonpage 8‐68