3Com WX4400 3CRWX440095A User Manual

Page 499

background image

Overriding or Adding Attributes Locally with a Location Policy

499

„

SSID means the VLAN is set on the roamed-to switch, in the service
profile for the SSID the user is associated with. (The Vlan-name
attribute is set by the set service-profile name attr vlan-name
vlan-id command, entered on the roamed-to switch. The name is the
name of the service profile for the SSID the user is associated with.)

„

As shown in Table 46, even when keep-initial-vlan is set, a user’s
VLAN can be reassigned by AAA or a location policy.

The keep-initial-vlan option does not apply to Web-Portal clients. Instead,
VLAN assignment for roaming Web-Portal clients automatically works the
same way as when keep-initial-vlan is enabled. The VLAN initially
assigned to a Web-Portal user is not changed except by a location policy,
AAA, or SSID default setting on the roamed-to switch.

To enable keep-initial-vlan, use the following command:

set service-profile name keep-initial-vlan {enable | disable}

Enter this command on the switch that will be roamed to by users.

The following command enables the keep-initial-vlan option on service
profile sp3:

WX1200# set service-profile sp3 keep-initial-vlan enable
success: change accepted.

Overriding or
Adding Attributes
Locally with a
Location Policy

During the login process, the AAA authorization process is started immediately
after clients are authenticated to use the WX switch. During authorization,
MSS assigns the user to a VLAN and applies optional user attributes, such as a
session timeout value and one or more security ACL filters.

A location policy is a set of rules that enables you to locally set or change
authorization attributes for a user after the user is authorized by AAA,
without making changes to the AAA server. For example, you might want
to enforce VLAN membership and security ACL policies on a particular
WX based on a client’s organization or physical location, or assign a
VLAN to users who have no AAA assignment. For these situations, you
can configure the location policy on the switch.

You can use a location policy to locally set or change the Filter-Id and
VLAN-Name authorization attributes obtained from AAA.