Operation Manual
AAA Commands
AAA Commands
9 – 177
Usage
Only a single location policy is allowed per MX switch. The location policy can contain up
to 150 rules. Once configured, the location policy becomes effective immediately. To disable
location policy operation, use the clear location policy command.
Conditions within a rule are AND’ed. All conditions in the rule must match in order for MSS to
take the specified action. If the location policy contains multiple rules, MSS compares the user
information to the rules one at a time, in the order the rules appear in the MX configuration file,
beginning with the rule at the top of the list. MSS continues comparing until a user matches all
conditions in a rule or until there are no more rules.
The order of rules in the location policy is important to ensure users are properly granted or
denied access. To position rules within the location policy, use before rule-number and
modify rule-number in the set location policy command, and the clear location policy
rule-number command.
When applying security ACLs:
● Use inacl inacl-name to filter traffic that enters the MX from users via an MP access port or
wired authentication port, or from the network via a network port.
● Use outacl outacl-name to filter traffic sent from the switch to users via an MP access port or
wired authentication port, or from the network via a network port.
● You can optionally add the suffixes .in and .out to inacl-name and outacl-name so that they
match the names of security ACLs stored in the local MX database.
Examples
The following command denies network access to all users at *.theirfirm.com, causing
them to fail authorization:
MX# set location policy deny if user eq *.theirfirm.com
The following command authorizes access to the guest_1 VLAN for all users who are not at
*.wodefirm.com:
MX# set location policy permit vlan guest_1 if user neq *.wodefirm.com
The following command authorizes users at *.ny.ourfirm.com to access the bld4.tac VLAN instead,
and applies the security ACL tac_24 to the traffic they receive:
MX# set location policy permit vlan bld4.tac outacl tac_24 if user eq *.ny.ourfirm.com
The following command authorizes access to users on VLANs with names matching bld4.* and
applies security ACLs svcs_2 to the traffic they send and svcs_3 to the traffic they receive:
MX# set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4.*
The following command authorizes users entering the network on MX ports 3 through 7 and
port 12 to use the floor2 VLAN, overriding any settings from AAA:
MX# set location policy permit vlan floor2 if port 3-7,12
The following command places all users who are authorized for SSID tempvendor_a into VLAN
kiosk_1:
MX# set location policy permit vlan kiosk_1 if ssid eq tempvendor_a
success: change accepted.
See Also
● clear location policy on page 9-153
● show location policy on page 9-201
set mac-user
Configures a user profile in the local database on the MX for a user who can authenticate by a
MAC address, and optionally adds the user to a MAC user group.
(To configure a MAC user profile in RADIUS, see the documentation for your RADIUS server.)