Hub/Switch Reference Guide
204 AAA Commands
NN47250-100 (Version 02.51)
Defaults
By default, users are permitted VLAN access and assigned security ACLs according to the
VLAN-Name and Filter-Id attributes applied to the users during normal authentication and authorization.
Access
Enabled.
Usage
Only a single location policy is allowed per WSS. The location policy can contain up to 150 rules.
Once configured, the location policy becomes effective immediately. To disable location policy operation, use
the clear location policy command.
Conditions within a rule are ANDed. All conditions in the rule must match in order for WSS Software to take the
specified action. If the location policy contains multiple rules, WSS Software compares the user information to the rules
one at a time, in the order the rules appear in the switch’s configuration file, beginning with the rule at the top of the list.
WSS Software continues comparing until a user matches all conditions in a rule or until there are no more rules.
The order of rules in the location policy is important to ensure users are properly granted or denied access. To position
rules within the location policy, use before rule-number and modify rule-number in the set location policy command,
and the clear location policy rule-number command.
When applying security ACLs:
vlan operator vlan-
wildcard
VLAN-Name attribute assigned by AAA and condition by which to
determine if the location policy rule applies. Replace operator with one of
the following operands:
• eq—Applies the location policy rule to all users assigned
VLAN names matching vlan-wildcard.
• neq—Applies the location policy rule to all users
assigned VLAN names not matching vlan-wildcard.
For vlan-wildcard, specify a VLAN name, use the double-asterisk
wildcard character (**) to specify all VLAN names, or use the single-
asterisk wildcard character (*) to specify a set of VLAN names up to or
following the first delimiter character, either an at sign (@) or a period (.).
(For details, see “VLAN Wildcards” on page 13.)
user operator user-
wildcard
Username and condition by which to determine if the location policy rule
applies. Replace operator with one of the following operands:
• eq—Applies the location policy rule to all usernames
matching user-wildcard.
• neq—Applies the location policy rule to all usernames
not matching user-wildcard.
For user-wildcard, specify a username, use the double-asterisk wildcard
character (**) to specify all usernames, or use the single-asterisk wildcard
character (*) to specify a set of usernames up to or following the first
delimiter character, either an at sign (@) or a period (.). (For details, see
“User Wildcards” on page 12.)
before rule-number Inserts the new location policy rule in front of another rule in the location
policy. Specify the number of the existing location policy rule. (To
determine the number, use the show location policy command.)
modify rule-number Replaces the rule in the location policy with the new rule. Specify the
number of the existing location policy rule. (To determine the number, use
the show location policy command.)
port port-list List of physical port(s) by which to determine if the location policy rule
applies.