Controller Based WLANs

How do I limit user access based on the AP to which the user is associated?

by on ‎07-06-2014 07:58 AM

Product and Software: This article applies to ArubaOS 3.x and later.

 

It is possible to limit user access depending on the AP to which a user is associated. When configuring a policy for user-role, there is an option for ap-group. After a policy is configured with the ap-group variable, it applies when the user associates to an AP in that group.

 

If user moves to an AP in another group, policies applied with the ap-group variable no longer apply.

 

This option is helpful if select groups of users need access only in a certain area.

 

CLI example:

 

(wlsw2h) (config) #user-role Guest_Lobby

(wlsw2h) (config-role) #session-acl control ap-group Lobby

If a policy is configured with ap-group option, the access-list in the "show rights <user_role>" output will show the ap-group name or it will be empty.

 

show command output with ap-group name:

 

(wlsw2h) #show rights Guest_Lobby

Derived Role = 'Guest_Lobby'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 51/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 vpnlogon Lobby/1
2 Web_Only Lobby/1
3 control Lobby/1

........truncated output

 

show command output with no ap-group name:

 

(wlsw2h) #show rights logon

Derived Role = 'logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 1/0
Max Sessions = 65535


access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 captiveportal
3 vpnlogon
4 v6-logon-control

........truncated output

 

You can also configure this option in the webUI when adding a policy to user-role as shown here:

 

Policy_with_AP-Group.jpg

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.