This section describes the procedure for configuring security settings for employee and voice network only. For information on guest network configuration, see Captive Portal for Guest Access.
|
If you are creating a new SSID profile, complete the WLAN Settings and configure VLAN and security parameters, before defining access rules. For more information, see Configuring WLAN Settings for an SSID Profile, Configuring VLAN Settings for a WLAN SSID Profile, and Configuring Security Settings for a WLAN SSID Profile. |
You can configure up to 64 access rules for an employee, voice , or guest network using the Instant UI or CLI.
To configure access rules for an employee or voice network:
1. | In the | tab, set slider to any of the following types of access control:
| Unrestricted— Select this to set unrestricted access to the network. |
| Network-based— Set the slider to Network-based to set common rules for all users in a network. The Allow any to all destinations access rule is enabled by default. This rule allows traffic to all destinations. To define an access rule: |
a. Click New.
b. Select appropriate options in the New Rule window.
c. Click OK.
| Role-based— Select Role-based to enable access based on user roles. For role-based access control: |
n | Create a user role if required. For more information, see Configuring User Roles. |
n | Create access rules for a specific user role. For more information, see Configuring Access Rules. You can also configure an access rule to enforce Captive portal authentication for an SSID that is configured to use 802.1X authentication method. For more information, see Configuring Captive Portal Roles for an SSID. |
n | Create a role assignment rule. For more information, see Configuring Derivation Rules. |
2. | Click Finish. |
To configure access control rules for a WLAN SSID:
(Instant Access Point)(config)# wlan access-rule <name>
(Instant Access Point)(Access Rule <name>)# rule <dest> <mask> <match> <protocol> <start-port> <end-port> {permit |deny | src-nat | dst-nat {<IP-address> <port> | <port>}}[<option1....option9>]
(Instant Access Point)(Access Rule <name>)# end
(Instant Access Point)# commit apply
To configure access control based on the SSID:
(Instant Access Point)(config)# wlan ssid-profile <name>
(Instant Access Point)(SSID Profile <name>)# set-role-by-ssid
(Instant Access Point)(SSID Profile <name>)# end
(Instant Access Point)# commit apply
To configure role assignment rules:
(Instant Access Point)(config)# wlan ssid-profile <name>
(Instant Access Point)(SSID Profile <name>)# set-role <attribute>{{equals|not-equals|starts-with|ends-with|contains|matches-regular-expression}<operator><role>|value-of}
(Instant Access Point)(SSID Profile <name>)# end
(Instant Access Point)# commit apply
To configure a pre-authentication role:
(Instant Access Point)(config)# wlan ssid-profile <name>
(Instant Access Point)(SSID Profile <name>)# set-role-pre-auth <pre-authentication-role>
(Instant Access Point)(SSID Profile <name>)# end
(Instant Access Point)# commit apply
To configure machine and user authentication roles
(Instant Access Point)(config)# wlan ssid-profile <name>
(Instant Access Point)(SSID Profile <name>)# set-role-machine-auth <machine-authentication-only> <user-authentication-only>
(Instant Access Point)(SSID Profile <name>)# end
(Instant Access Point)# commit apply
To configure unrestricted access:
(Instant Access Point)(config)# wlan ssid-profile <name>
(Instant Access Point)(SSID Profile <name>)# set-role-unrestricted
(Instant Access Point)(SSID Profile <name>)# end
(Instant Access Point)# commit apply