Product and Software: This article applies to ArubaOS 3.x and later.
It is possible to limit user access depending on the AP to which a user is associated. When configuring a policy for user-role, there is an option for ap-group. After a policy is configured with the ap-group variable, it applies when the user associates to an AP in that group.
If user moves to an AP in another group, policies applied with the ap-group variable no longer apply.
This option is helpful if select groups of users need access only in a certain area.
CLI example:
(wlsw2h) (config) #user-role Guest_Lobby
(wlsw2h) (config-role) #session-acl control ap-group Lobby
If a policy is configured with ap-group option, the access-list in the "show rights <user_role>" output will show the ap-group name or it will be empty.
show command output with ap-group name:
(wlsw2h) #show rights Guest_Lobby
Derived Role = 'Guest_Lobby'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 51/0
Max Sessions = 65535
access-list List
----------------
Position Name Location
-------- ---- --------
1 vpnlogon Lobby/1
2 Web_Only Lobby/1
3 control Lobby/1
........truncated output
show command output with no ap-group name:
(wlsw2h) #show rights logon
Derived Role = 'logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 1/0
Max Sessions = 65535
access-list List
----------------
Position Name Location
-------- ---- --------
1 logon-control
2 captiveportal
3 vpnlogon
4 v6-logon-control
........truncated output
You can also configure this option in the webUI when adding a policy to user-role as shown here: