Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Configuring Access Rules for a WLAN SSID Profile
The following procedure configures access rule settings for Employee and Voice networks only. If you are creating a new SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, complete configuring the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. settings, VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. settings, and security settings, before defining access rules. For more information, see Configuring WLAN Settings for an SSID Profile, Configuring VLAN Settings for a WLAN SSID Profile, and Configuring Security Settings for a WLAN SSID Profile.
You can configure up to 128 access rules for an Employee, Voice, or Guest network using the Instant WebUI or the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..
The following procedure describes how to configure access rules on an Instant AP:
- Navigate to Networks. >
- Under , select the network you want to configure and click .
- Select
- Unrestricted—Select this option to set unrestricted access to the network.
- Network-based—Select this option to set common rules for all users in a network. The Allow any to all destinations access rule is enabled by default. This rule allows traffic to all destinations.
- To define an access rule:
- Click +.
- Select appropriate options in the New Rule window.
- Click OK.
- Role-based—Select this option to enable access based on user roles. For role-based access control:
- Create a user role if required. For more information, see Configuring User Roles.
- Create access rules for a specific user role. For more information, see Configuring ACL Rules for Network Services. You can also configure an access rule to enforce captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication for an SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. that is configured to use 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication method. For more information, see Configuring Captive Portal Roles for an SSID.
- Create a role assignment rule. For more information, see Configuring Derivation Rules.
- Enforce Machine Authentication— Select this check box to configure access rights to clients based on whether the client device supports machine authentication.
tab. In the drop-down list, select one of the following types: - Click Finish.
The following command configures access control rules for a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:
(Instant AP)(config)# wlan access-rule <name>
(Instant AP)(Access Rule <name>)# rule <dest> <mask> <match> {<protocol> <start-port> <end-port> {permit|deny|src-nat [vlan <vlan_id>|tunnel]|dst-nat{<IP-address> <port>|<port>}}| app <app> {permit|deny}| appcategory <appgrp>|webcategory <webgrp> {permit|deny}| webreputation <webrep> [<option1....option9>]
The following command configures access control rules based on the SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role-by-ssid
The following command configures role assignment rules:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role <attribute>{{equals|not-equals|starts-with|ends-with|contains|matches-regular-expression}<operator><role>|value-of}
The following command configures a pre-authentication role:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role-pre-auth <role>
The following command configures machine and user authentication roles:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role-machine-auth <machine_only> <user_only>
The following command configures unrestricted access:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role-unrestricted
The following example configures access rules for a wireless network:
(Instant AP)(config)# wlan access-rule WirelessRule