You can configure up to 128 access rules for guest user roles through the Instant UI or the CLI.
In the Instant UI
To configure roles and access rules for the guest network:
1. On the
Access Rules
tab, set the slider to any of the following types of access control:
l
Unrestricted
—Select this to set unrestricted access to the network.
l
Network-based
—Set the slider to
Network-based
to set common rules for all users in a network. The
Allow any to all destinations
access rule is enabled by default. This rule allows traffic to all
destinations. To define an access rule:
a. Click
New
.
b. Select appropriate options in the
New Rule
window.
c. Click
OK
.
l
Role-based
—Select
Role-based
to enable access based on user roles.
For role-based access control:
n
Create a user role if required. For more information, see
.
n
Create access rules for a specific user role. For more information, see
. You can also configure an access rule to enforce captive portal
authentication for an SSID with the 802.1X authentication method. For more information, see
Configuring Captive Portal Roles for an SSID on page 138
n
Create a role assignment rule. For more information, see
Configuring Derivation Rules on page 201
Instant supports role derivation based on the DHCP option for captive portal authentication. When
the captive portal authentication is successful, a new user role is assigned to the guest users based on
DHCP option configured for the SSID profile instead of the pre-authenticated role.
2. Click
Finish
.
In the CLI
To configure access control rules for a WLAN SSID:
(Instant AP)(config)# wlan access-rule <name>
(Instant AP)(Access Rule <name>)# rule <dest> <mask> <match> {<protocol> <start-port> <end-
port> {permit|deny|src-nat|dst-nat{<IP-address> <port>|<port>}}| app <app> {permit|deny}|
appcategory <appgrp>|webcategory <webgrp> {permit|deny}|webreputation <webrep>
[<option1....option9>]
(Instant AP)(Access Rule <name>)# end
(Instant AP)# commit apply
To configure access control rules based on the SSID:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role-by-ssid
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To configure role assignment rules:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role <attribute>{{equals|not-equals|starts-with|ends-
with|contains|matches-regular-expression}<operator><role>|value-of}
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To configure a pre-authentication role:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role-pre-auth <role>
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
Captive Portal for Guest Access |
137