About the location policy – 3Com WX4400 3CRWX440095A User Manual

500

C

HAPTER

21: C

ONFIGURING

AAA

FOR

N

ETWORK

U

SERS

About the Location

Policy

Each WX switch can have one location policy. The location policy consists of
a set of rules. Each rule contains conditions, and an action to perform if all
conditions in the rule match. The location policy can contain up to 50 rules.

The action can be one of the following:

„

Deny access to the network

„

Permit access, but set or change the user’s VLAN assignment, inbound
ACL, outbound ACL, or any combination of these attributes

The conditions can be one or more of the following:

„

AAA-assigned VLAN

„

Username

„

MAP access port, Distributed MAP number, or wired authentication
port through which the user accessed the network

„

SSID name with which the user is associated

Conditions within a rule are ANDed. All conditions in the rule must match
in order for MSS to take the specified action. If the location policy
contains multiple rules, MSS compares the user information to the rules
one at a time, in the order the rules appear in the switch’s configuration
file, beginning with the rule at the top of the list. MSS continues
comparing until a user matches all conditions in a rule or until there are
no more rules.

Any authorization attributes not changed by the location policy remain
active.

How the Location

Policy Differs from a

Security ACL

Although structurally similar, the location policy and security ACLs have
different functions. The location policy on a WX switch can be used to
locally redirect a user to a different VLAN or locally control the traffic to
and from a user.

In contrast, security ACLs are packet filters applied to the user throughout
a Mobility Domain. (For more information, see Chapter 19, “Configuring
and Managing Security ACLs,” on page 377.)

You can use the location policy to locally apply a security ACL to a user.