Wireless Access

Hello.

I have associated a web category (adults) control to the user “authenticated”, so users connected via WLAN with that role cannot access such URLs. That WLAN has the profile “my-wlan_aaa_prof”, that include as initial-role “authenticated”.

I want to use the same filter to wired ports.

How can I configure that function? I have read that the ports must be in untrusted mode and the command to assign the profile “my-wlan_aaa_prof”, that include the initial-role “authenticated”, to the wired ports is “aaa authentication wired”.

I have some doubts:

1. Is it possible to assign that profile to specific ports?

2. Is it possible to assign that profile to some ports and another profile to other ports?

3. Should I configure the previous question configuring differents VLANs?

What are the commands or how can I do those things via GUI?

Thanks you very much.

I don't have a 8.6 MM active currently for screen shots, but you are correct that the wired port needs to be untrusted and have a aaa policy applied in order to apply a role. 

Are you wanting to apply policy to the controllers wired ports, or the wired ports on an AP like the 303h?

Thanks for your intereset.

I know how to apply a policie to a port, but I would like to apply all the policies related with a role, in my case the role authenticated, that includes a policie global-sacl, with restritions to some URLs; and the policie allowall.

I have read that I have to make a port untrusted and apply mywlan-aaa_prof, which includes the role authenticated.

I have configured the next:

aaa authentication wired

   profile mywlan-aaa_prof

but all URL are blocked, not only the included in global-sacl.

What am I doing badly?

On other side, is it possible to apply different profiles to different port?

Regards.

You would use different roles to apply different policies. If all users end up in the "authenticated" role, they will share the same set of policies.

For wired users, what authentication method are you using to authenticate your users?

I use WPA2-personal with a passphrase to connect the WLAN, for example, my-wlan. When user connect to this wlan, they get the role "authenticated", with all the policies it implies.

I intended that when you connected a computer to a particular wired port, it had the same policies as the role "authenticated", but no need to authenticate. Perhaps it is not possible.

Is it possible to configure what I want?

Thanks.

Once the user is authenticated with WPA2 and put in the correct user role, they are essentially trusted.

With the wired users, you would want to do wired 802.1X or mac-auth to accomplish the same. The other option would be to trust the port, but then apply the specific firewall policy to the port ... but this would apply a specific policy rather than a user role (combination of policies) to the specific port.

Hello Charlie.

Thanks for your responses, I understand the process.I thought that assigning a profile to a port would mean that the users in that port would have the same role, without the need for authentication. Now, I see that it is necessary any kind of authentication to the user or to the computer.

As I do not want to use any kind of authentication, because it would complicate the use of the network, I will attach a policy specifically created for that purpose. I configured it some days ago and it worked adequately.

Thanks again.