Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Configuring ACLs on IAPs for Website Content Classification
You can configure web policy enforcement on an access point to block certain categories of websites based on your organization specifications by defining ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules.
To configure ACLs for website content classification, follow the below procedure:
- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under , click .
- Click the
The tabs to configure the APs are displayed.
icon. - Click .
- Click the Security tab.
- Under , select the role to modify.
- Under
The Access Rule window is displayed.
, click to add a new rule. - Under , select .
- Configure the following on the Access Rule window.
- To set an access policy based on web categories:
- Under , select .
- Select the categories to which you want to deny or allow access. You can also search for a web category and select the required option.
- Under , select or .
- Click to save the rules.
- To filter access based on the security ratings of the website:
- Select under .
- Move the slider to select a specific web reputation value to deny access to websites with a reputation value lower than or equal to the configured value or to permit access to websites with a reputation value higher than or equal to the configured value. The following options are available:
- —These are well known sites with strong security practices and may not expose the user to security risks. There is a very low probability that the user will be exposed to malicious links or payloads.
- —These are benign sites and may not expose the user to security risks. There is a low probability that the user will be exposed to malicious links or payloads.
- —These are generally benign sites, but may pose a security risk. There is some probability that the user will be exposed to malicious links or payloads.
- —These are suspicious sites. There is a higher than average probability that the user will be exposed to malicious links or payloads.
- —These are high risk sites. There is a high probability that the user will be exposed to malicious links or payloads.
- Under , select or as required.
- To set an access policy based on web categories:
- To set a bandwidth limit based on web category or web reputation score, select the check box and specify the downstream and upstream rates in Kbps. For example, you can set a higher bandwidth for trusted sites and a low bandwidth rate for high risk sites.
- If required, select the following check boxes:
- HPE Aruba Networking Central supports firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. based logging. Firewall logs on the IAPs are generated as security logs. —Select this check box if you want a log entry to be created when this rule is triggered.
- Denylisting IAP Clients. —Select this check box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as on the pane of the window. For more information, see
- ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered. The selection of the applies only if ARM scanning is enabled, For more information, see Configuring Radio Parameters. —Select check box to disable
- DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. tag to the rule. DSCP is an L3 mechanism for classifying and managing network traffic and providing QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. on the network. To assign a higher priority, specify a higher value. —Select this check box to add a
- —Select this check box to enable 802.1p priority. 802.1p priority is an L2 protocol for traffic prioritization to manage QoS on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value.
Time Range—Select this check box to add a time range profile and control the user access to the network during a specific time period.
For more information, see Configuring Time-Based Services for Wireless Network Profiles.
- Click to save the rules.
- Click in the page to save the changes to the role for which you defined ACL rules.
In mixed versions of the groups, the application rule update is supported only at the VC level and not at the group level. If you have a group with multiple IAPs running 6.2.1.0-4.0 and if you upgrade one or more VC to 6.2.1.0-4.1, you can configure application rules at the VC level, but not at the group level. To use application rules at the group level, create a new group and move IAPs running 6.2.1.0-4.1 to the newly created group. If application rules are configured in this group, ensure that the IAPs with versions lower than 6.2.1.0-4.1 are not moved to that group.
The following animation shows you how to configure roles on APs for website content classification.