Configuring Access Rules for a WLAN SSID Profile

This section describes the procedure for configuring security settings for Employee and Voice networks only. For information on guest network configuration, see Captive Portal for Guest Access.

 

If you are creating a new SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile, complete the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. settings and configure VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. and security parameters, before defining access rules. For more information, see In the Old WebUI, In the Old WebUI, and Configuring Security Settings for an Employee or Voice Network.

You can configure up to 128 access rules for an Employee, Voice , or Guest network using the Instant UIUser Interface. or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the Old WebUI

To configure access rules for an Employee or Voice network:

1. In the Networks tab, select the network to configure and click edit.

2. Select the Access tab

3. Specify any of the following types of security levels by moving the slider to a desired level:

Unrestricted—Select this option to set unrestricted access to the network.

Network-based—Select this option to set common rules for all users in a network. The Allow any to all destinations access rule is enabled by default. This rule allows traffic to all destinations.

To define an access rule:

a. Click New.

b. Select appropriate options in the New Rule window.

c. Click OK.

Role-based—Select this option to enable access based on user roles. For role-based access control:

Create a user role if required. For more information, see Configuring User Roles.

Create access rules for a specific user role. For more information, see In the Old WebUI. You can also configure an access rule to enforce captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication for an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. that is configured to use 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication method. For more information, see Configuring Captive Portal Roles for an SSID.

Create a role assignment rule. For more information, see Configuring Derivation Rules.

Enforce Machine Authentication— Select this check box to configure access rights to clients based on whether the client device supports machine authentication.

4. Click Finish.

In the New WebUI

To configure access rules for an Employee or Voice network:

1. Navigate to the Configuration > Networks page.

2. Under Networks select the network you want to configure and click Edit.

3. Select Access tab. In the Access Rules drop-down list box select one of the following type:

Unrestricted—Select this option to set unrestricted access to the network.

Network-based—Select this option to set common rules for all users in a network. The Allow any to all destinations access rule is enabled by default. This rule allows traffic to all destinations.

To define an access rule:

a. Click +.

b. Select appropriate options in the New Rule window.

c. Click OK.

Role-based—Select this option to enable access based on user roles. For role-based access control:

To create a user role click + in the Roles window. For more information, see Configuring User Roles.

Create access rules for a specific user role. For more information, see In the Old WebUI. You can also configure an access rule to enforce captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. authentication for an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. that is configured to use 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication method. For more information, see Configuring Captive Portal Roles for an SSID.

To create a role assignment rule, click + in the Role Assignment Rules window. For more information, see Configuring Derivation Rules.

Enforce Machine Authentication— Enable this toggle switch to configure access rights to clients based on whether the client device supports machine authentication.

4. Click Finish.

In the CLI

To configure access control rules for a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

(Instant AP)(config)# wlan access-rule <name>

(Instant AP)(Access Rule <name>)# rule <dest> <mask> <match> {<protocol> <start-port> <end-port> {permit|deny|src-nat [vlan <vlan_id>|tunnel]|dst-nat{<IP-address> <port>|<port>}}| app <app> {permit|deny}| appcategory <appgrp>|webcategory <webgrp> {permit|deny}| webreputation <webrep> [<option1....option9>]

To configure access control rules based on the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# set-role-by-ssid

To configure role assignment rules:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# set-role <attribute>{{equals|not-equals|starts-with|ends-with|contains|matches-regular-expression}<operator><role>|value-of}

To configure a pre-authentication role:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# set-role-pre-auth <role>

To configure machine and user authentication roles:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# set-role-machine-auth <machine_only> <user_only>

To configure unrestricted access:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# set-role-unrestricted

Example

The following example configures access rules for the wireless network:

(Instant AP)(config)# wlan access-rule WirelessRule

/*]]>*/