Manualshelf

Technical data

ManualsBrandsMeru Networks ManualsComputer equipmentOAP180
151152153154155156157158159160
Policy Enforcement Module
© 2012 Meru Networks, Inc. Configuring Security 135
Policy Enforcement Module
The optional Policy Enforcement Module feature makes it possible to control network
content by dropping/allowing traffic based on configured policies applied on a fire-
wall tag associated with a user group. This includes Captive Portal users in release
3.7 and later.
Meru’s firewall is generic, and can be used to prevent any subnet to subnet commu-
nication, for specific ports or all ports. With the Filter ID, we can also prevent any
user from any SSID from accessing specific subnets.
The per-user firewall filtering is implemented either by:
A Radius-returned filter-id attribute, that is created on the Radius server and
assigned to users
A configured firewall filter-id parameter that is part of the ESS profile
configuration and is applied to clients associated with an ESS
For the Radius-based per-user firewall, the returned filter-id attribute is part of
Access-Accept message returned for a user, and is used as the firewall tag. The
filtering action is determined by the configured firewall polices for this firewall tag.
In the absence of a Radius configuration, a configured firewall tag in the ESS profile
can be used for defining the filtering based on the configured firewall polices. In this
case, all users connecting to a given ESS profile are allocated the same firewall tag
as configured for the profile.
The policies that filter the traffic are created using the standard QoS qosrule config-
uration, and the inherent priorities and configuration parameters are described in
detail in the Chapter 15, “Configuring Quality of Service,” as well as in the qosrule
entry in the Meru System Director Command Reference.
Configure Firewall Policies with the CLI
Begin the Policy Enforcement Module configuration by configuring a set of qosrule
policies to manage the traffic.
The following example shows the creation of qosrule 200 as a policy for Firewall
filter-id 1:
default# configure terminal
default(config)# qosrule 200 netprotocol 6 qosprotocol none
default(config)# netprotocol-match
default(config-qosrule)# dstport 80
default(config-qosrule)# dstport-match on
Note:
For successful operation using a Radius configuration, the Filter-id attribute
that is configured on the Radius Server must match that used on the controller. In
some Radius Servers, a Filter ID must be created.