Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

391

392

393

394

395

396

397

398

399

400

Overriding or Adding Attributes Locally with a Location Policy

17-52 Configuring AAA for Network Users

Overriding or Adding Attributes Locally with a Location Policy

Duringtheloginprocess,theAAAauthorizationprocessisstartedimmediatelyafterclientsare

authenticatedtousetheRoamAboutSwitch.Duringauthorization,MSSassignstheusertoa

VLANandappliesoptionaluserattributes,suchasasessiontimeoutvalueandoneormore

securityACLfilters.

Alocationpolicyis

asetofrulesthatenablesyoutolocallysetorchangeauthorizationattributes

forauseraftertheuserisauthorizedbyAAA,withoutmakingchangestotheAAAserver.For

example,youmightwanttoenforceVLANmembershipandsecurityACLpoliciesonaparticular

RoamAboutSwitchbasedon

aclient’sorganizationorphysicallocation,orassignaVLANto

userswhohavenoAAAassignment.Forthesesituations,youcanconfigurethelocationpolicyon

theswitch.

YoucanusealocationpolicytolocallysetorchangetheFilter‐IdandVLAN‐Nameauthorization

attributesobtainedfrom

AAA.

About the Location Policy

EachRoamAboutswitchcanhaveonelocationpolicy.Thelocationpolicyconsistsofasetofrules.

Eachrulecontainsconditions,andanactiontoperformifallconditionsintherulematch.The

locationpolicycancontainupto150rules.

Theactioncanbeoneofthefollowing:

•Denyaccess

tothenetwork

•Permitaccess,butsetorchangetheuser’sVLANassignment,inboundACL,outboundACL,

oranycombinationoftheseattributes

Theconditionscanbeoneormoreofthefollowing:

•AAA‐assignedVLAN

• Username

• DistributedAPnumber,orwiredauthenticationportthroughwhichtheuseraccessedthe

network

•SSIDnamewith

whichtheuserisassociated

ConditionswithinaruleareANDed.AllconditionsintherulemustmatchinorderforMSSto

takethespecifiedaction.Ifthelocationpolicycontainsmultiplerules,MSScomparestheuser

informationtotherulesoneatatime,intheordertherules

appearintheswitch’sconfiguration

file,beginningwiththeruleatthetopofthelist.MSScontinuescomparinguntilausermatchesall

conditionsinaruleoruntiltherearenomorerules.

Anyauthorizationattributesnotchangedbythe locationpolicyremainactive.

How the Location Policy Differs from a Security ACL

Althoughstructurallysimilar,thelocationpolicyandsecurityACLshavedifferentfunctions.The

locationpolicyonaRoamAboutSwitchcanbeusedtolocallyredirectausertoadifferentVLAN

orlocallycontrolthetraffictoandfromauser.

Incontrast,securityACLsarepacketfiltersappliedtothe

userthroughoutaMobilityDomain.

(Formoreinformation,seeChapter 1 5,ConfiguringandManagingSecurityACLs.)

YoucanusethelocationpolicytolocallyapplyasecurityACLtoauser.