3com WXR100 3CRWXR10095A User Manual
Overriding or Adding Attributes Locally with a Location Policy
501
Setting the Location
Policy
To enable the location policy function on a WX switch, you must create at
least one location policy rule with one of the following commands:
least one location policy rule with one of the following commands:
set location policy deny if
{ssid operator ssid-name | vlan operator vlan-glob | user
operator user-glob | port port-list | dap dap-num} [before
rule-number | modify rule-number]
{ssid operator ssid-name | vlan operator vlan-glob | user
operator user-glob | port port-list | dap dap-num} [before
rule-number | modify rule-number]
set location policy permit
{vlan vlan-name | inacl inacl-name | outacl outacl-name}
if {ssid operator ssid-name | vlan operator vlan-glob | user
operator user-glob | port port-list | dap dap-num}
[before rule-number | modify rule-number]
{vlan vlan-name | inacl inacl-name | outacl outacl-name}
if {ssid operator ssid-name | vlan operator vlan-glob | user
operator user-glob | port port-list | dap dap-num}
[before rule-number | modify rule-number]
Asterisks (wildcards) are not supported in SSID names. You must specify
the complete SSID name.
the complete SSID name.
You must specify whether to permit or deny access, and you must
identify a VLAN, username, or access port to match. Use one of the
following operators to specify how the rule must match the VLAN or
username:
identify a VLAN, username, or access port to match. Use one of the
following operators to specify how the rule must match the VLAN or
username:
eq — Applies the location policy rule to all users assigned VLAN
names matching vlan-glob or having usernames that match user-glob.
names matching vlan-glob or having usernames that match user-glob.
(Like a user glob, a VLAN glob is a way to group VLANs for use in this
command. For more information, see “VLAN Globs” on page 31.)
command. For more information, see “VLAN Globs” on page 31.)
neq — Applies the location policy rule to all users assigned VLAN
names not matching vlan-glob or having usernames that do not
match user-glob.
names not matching vlan-glob or having usernames that do not
match user-glob.
For example, the following command denies network access to all users
matching *.theirfirm.com, causing them to fail authorization:
matching *.theirfirm.com, causing them to fail authorization:
WX1200# set location policy deny if user eq *.theirfirm.com
The following command authorizes access to the guest_1 VLAN for all
users who do not match *.ourfirm.com:
users who do not match *.ourfirm.com:
WX1200# set location policy permit vlan guest_1 if user neq
*.ourfirm.com
*.ourfirm.com