Specifications

8-42 AAA Commands
Theorderofrulesinthelocationpolicyisimportanttoensureusersareproperlygrantedor
deniedaccess.Topositionruleswithinthelocationpolicy,usebeforerulenumberand
modify rulenumberinthe setlocationpolicycommand,andtheclearlocationpolicyrulenumber
command.
WhenapplyingsecurityACLs:
•UseinaclinaclnametofiltertrafficthatenterstheswitchfromusersviaanAPaccessportor
wiredauthenticationport,orfromthenetworkviaanetworkport.
•UseoutacloutaclnametofiltertrafficsentfromtheswitchtousersviaanAPaccessportor
wiredauthentication
port,orfromthenetworkviaanetworkport.
•Youcanoptionallyaddthesuffixes.inand.outtoinaclnameandoutaclnamesothatthey
matchthenamesofsecurityACLsstoredinthelocalRASdatabase.
Example
Thefollowingcommanddeniesnetworkaccesstoallusersat*.theirfirm.com,causingthemtofail
authorization:
RBT-8100# set location policy deny if user eq *.theirfirm.com
Thefollowingcommandauthorizesaccesstotheguest_1VLANforalluserswhoarenotat
*.wodefirm.com:
RBT-8100# set location policy permit vlan guest_1 if user neq *.wodefirm.com
Thefollowingcommandauthorizesusersat*.ny.ourfirm.comtoaccessthebld4.tacVLANinstead,
andappliesthesecurityACLtac_24tothetraffictheyreceive:
RBT-8100# set location policy permit vlan bld4.tac outacl tac_24 if user eq
*.ny.ourfirm.com
ThefollowingcommandauthorizesaccesstousersonVLANswithnamesmatchingbld4.*and
appliessecurityACLssvcs_2tothetraffictheysendandsvcs_3tothetraffictheyreceive:
RBT-8100# set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq
bldg4.*
Thefollowingcommandauthorizesusersenteringthe networkonRASports 3through7and
port 12tousethefloor2VLAN,overridinganysettingsfromAAA:
RBT-8100# set location policy permit vlan floor2 if port 3-7,12
ThefollowingcommandplacesalluserswhoareauthorizedforSSIDtempvendor_aintoVLAN
kiosk_1:
RBT-8100# set location policy permit vlan kiosk_1 if ssid eq tempvendor_a
success: change accepted.
Related Commands
clearlocationpolicyonpage 810
showlocationpolicyonpage 868