Setting the location policy – 3Com WX4400 3CRWX440095A User Manual

Overriding or Adding Attributes Locally with a Location Policy

501

Setting the Location

Policy

To enable the location policy function on a WX switch, you must create at
least one location policy rule with one of the following commands:

set location policy deny if
{ssid operator ssid-name | vlan operator vlan-glob | user
operator user-glob | port port-list | dap dap-num} [before
rule-number | modify rule-number]

set location policy permit
{vlan vlan-name | inacl inacl-name | outacl outacl-name}
if {ssid operator ssid-name | vlan operator vlan-glob | user
operator user-glob | port port-list | dap dap-num}
[before rule-number | modify rule-number]

Asterisks (wildcards) are not supported in SSID names. You must specify
the complete SSID name.

You must specify whether to permit or deny access, and you must
identify a VLAN, username, or access port to match. Use one of the
following operators to specify how the rule must match the VLAN or
username:

„

eq — Applies the location policy rule to all users assigned VLAN
names matching vlan-glob or having usernames that match user-glob.

(Like a user glob, a VLAN glob is a way to group VLANs for use in this
command. For more information, see “VLAN Globs” on page 31.)

„

neq — Applies the location policy rule to all users assigned VLAN
names not matching vlan-glob or having usernames that do not
match user-glob.

For example, the following command denies network access to all users
matching *.theirfirm.com, causing them to fail authorization:

WX1200# set location policy deny if user eq *.theirfirm.com

The following command authorizes access to the guest_1 VLAN for all
users who do not match *.ourfirm.com:

WX1200# set location policy permit vlan guest_1 if user neq
*.ourfirm.com