Configuring Access Rules for a Wired Profile

The EthernetEthernet is a network protocol for data transmission over LAN. ports allow third-party devices such as VoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network. phones or printers (that support only wired connections) to connect to the wireless network. You can also configure an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. for additional security on the EthernetEthernet is a network protocol for data transmission over LAN. downlink.

 

If you are creating a new wired profile, complete the Wired Settings and configure the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. and security parameters before defining access rules. For more information, see In the Old WebUI, In the Old WebUI, and Configuring Security Settings for a Wired Employee Network .

You can configure access rules by using the Instant WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the Old WebUI

To configure access rules:

1. On the Access tab, configure the following access rule parameters.

a. Select any of the following types of access control:

Role-based—Allows the users to obtain access based on the roles assigned to them.

Network-based—Allows the users to be authenticated based on access rules specified for a network.

Unrestricted—Allows the users to obtain unrestricted access on the port.

b. If the Role-based access control is selected, perform the following steps:

Under Roles, select an existing role for which you want to apply the access rules, or click New and add the required role. The list of roles defined for all networks is displayed under Roles.

 

The default role with the same name as the network is automatically defined for each network. The default roles cannot be modified or deleted.

Select the access rule associated with a specific role and modify if required. To add a new access rule, click New in the Access Rules window. You can configure up to 64 access rules. For more information on configuring access rules, see In the Old WebUI.

Configure rules to assign roles for an authenticated client. You can also configure rules to derive VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. for the wired network profile. For more information on role assignment rules and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. derivation rules, see Configuring Derivation Rules and In the Old WebUI.

Select the Assign pre-authentication role check box to add a pre-authentication role that allows some access to the users before client authentication.

Select the Enforce Machine Authentication check box, to configure access rights to clients based on whether the client device supports machine authentication. Select the Machine auth only and User auth only rules. Machine Authentication is only supported on Windows devices and devices such as iPads.

 

If Enforce Machine Authentication is enabled, both the device and the user must be authenticated for the role assignment rule to apply.

2. Click Finish.

In the New WebUI

To configure access rules:

1. In the Access tab, configure the following access rule parameters.

a. In the Access Rules drop-down list box, select any of the following types of access control:

Role-based—Allows the users to obtain access based on the roles assigned to them.

Network-based—Allows the users to be authenticated based on access rules specified for a network.

Unrestricted—Allows the users to obtain unrestricted access on the port.

b. If the Role-based access control is selected, perform the following steps:

Under Roles, select an existing role for which you want to apply the access rules, or click + and add the required role. The list of roles defined for all networks is displayed under Roles.

 

The default role with the same name as the network is automatically defined for each network. The default roles cannot be modified or deleted.

Select the access rule associated with a specific role and modify if required. To add a new access rule, click + in the Access Rules for <network> window. You can configure up to 64 access rules. For more information on configuring access rules, see In the Old WebUI.

Configure rules to assign roles for an authenticated client. You can also configure rules to derive VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. for the wired network profile. For more information on role assignment rules and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. derivation rules, see Configuring Derivation Rules and In the Old WebUI.

In the Role Assignment Rules window, click the Enforce Machine Authentication toggle switch to configure access rights to clients based on whether the client device supports machine authentication. Select the Machine auth only and User auth only rules. Machine Authentication is only supported on Windows devices and devices such as iPads.

Toggle the Enforce MAC auth only role switch to specify roles for only MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authenticated users.

 

If Enforce Machine Authentication is enabled, both the device and the user must be authenticated for the role assignment rule to apply.

2. Click Next.

3. In the Assignment tab, click Finish. For more information, refer to Assigning a Profile to Ethernet Ports

In the CLI

To configure access rules for a wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# access-rule-name <name>

To configure role assignment rules:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# set-role <attribute>{{equals|not-equal|starts-with| ends-with|contains|matches-regular-expression}<operator> <role>|value-of}

To configure a pre-authentication role:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# set-role-pre-auth <role>

To configure machine and user authentication roles:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# set-role-machine-auth <machine_only> <user-only>

To configure unrestricted access:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# set-role-unrestricted

/*]]>*/