Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

391

392

393

394

395

396

397

398

399

400

Overriding or Adding Attributes Locally with a Location Policy

17-54 Configuring AAA for Network Users

Applying Security ACLs in a Location Policy Rule

WhenreassigningsecurityACLfilters,specifywhetherthefilterisaninputfilteroranoutput

filter,asfollows:

•Inputfilter—Useinaclinacl‐nametofiltertrafficthatenterstheswitchfromusersviaawired

authenticationportorfromthenetworkviaanetworkport.

•Outputfilter—Useoutacloutacl‐name

tofiltertrafficsentfromtheswitchtousers viaawired

authenticationport,orfromthenetworkviaanetworkport.

Examples

Thefollowingcommandauthorizesusersat*.ny.ourfirm.comtoaccessthebld4.tacVLAN,and

appliesthesecurityACLtac_24tothetraffictheyreceive:

RBT-8100# set location policy permit vlan bld4.tac outacl tac_24 if user eq

*.ny.ourfirm.com

ThefollowingcommandauthorizesaccesstousersonVLANswithnamesmatchingbld4.*and

appliessecurityACLssvcs_2tothetraffictheysendandsvcs_3tothetraffictheyreceive:

RBT-8100#setlocationpolicypermitinaclsvcs_2outaclsvcs_3ifvlaneqbldg4.*

Youcanoptionallyaddthesuffixes.inand.outtoinacl‐nameandoutacl‐nameforconsistencywith

theirusageinentriesstoredinthelocalRoamAboutSwitchdatabase.

Displaying and Positioning Location Policy Rules

Theorderoflocationpolicyrulesissignificant.MSSchecksalocat ionpolicyrulethatishigherin

thelistbeforethoselowerinthelist.Rulesarelistedintheorderinwhichyoucreatethem,unless

youmovethem.

Topositionlocationpolicyruleswithinthelocationpolicy,use

beforerule‐numberandmodify

rule‐numberinthesetlocationpolicycommand,orusetheclearlocationpolicyrule‐number

command.

Example

Forexample,supposeyouhaveconfiguredthefollowinglocationpolicyrules:

RBT-8100 show location policy

Id Clauses

----------------------------------------------------------------

1) deny if user eq *.theirfirm.com

2) permit vlan guest_1 if vlan neq *.ourfirm.com

3) permit vlan bld4.tac inacl tac_24.in if user eq *.ny.ourfirm.com

4) permit inacl svcs_2.in outacl svcs_3.out if vlan eq bldg4.*

Tomovethefirstruletotheendofthelistanddisplaytheresults,typethefollowingcommands:

RBT-8100 clear location policy 1

success: clause 1 is removed.

RBT-8100 set location policy deny if user eq *.theirfirm.com

RBT-8100 show location policy