Configure Roles and Optional Firewall RulesNEW!

Use this procedure to create, modify, or delete Roles for a Wireless Client Roles policy. This procedure also provides instructions on how to configure firewall rules that apply specifically to a Role. Otherwise, you can configure default firewall rules that apply to all Roles.

  1. Choose from the following actions:
    • If you are in the process of configuring a new Wireless Client Roles policy, proceed to the next step.

    • If you want to modify Role Settings or delete a Role associated with a Wireless Client Roles policy, go to Policies > Wireless Client Roles and select adjacent to the target policy. Proceed to the next step.

  2. Select the Roles tab.
  3. Choose from the following actions:
    • Select to create a new Role. Proceed to the next step.
    • From under the Actions column:
      • Select associated with a Role to modify it. Edit the parameters in accordance with the steps in this procedure.
      • Select associated with a Role to delete it.
  4. Configure the General parameters.
  5. After the Role and General parameters have been configured and added, optionally select associated with newly created Role to configure the parameters under the Firewall Rules tab.

General

  1. If you are creating a new Role, assign it a Role Name that differentiates it from others that have similar properties.
    The Role Name cannot exceed 32 characters. The Role Name cannot be modified as part of the edit process.
  2. In the Role Precedence field, set a numerical precedence value in the range 1–10000.
    Precedence determines the order a role is applied. Roles with lower numbers are applied before those with higher numbers. There is no default precedence for a role, and two or more roles can share the same precedence.
  3. Use the Discovery Policy drop-down menu to specify the Bonjour Gateway.

    Bonjour provides a method to discover services on a LAN. Bonjour allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains.

  4. In the Client Identity field, select the client type to be used as matching criteria within the Wireless Client Roles policy.
    The ExtremeWireless WiNG software provides a set of built-in device fingerprints that load by default and identify client device types. You can create new client identity types or edit existing ones as required, using the CLI command client-identity.
  5. Use the Match Expressions parameters to create filter rules based on AP locations, SSIDs and RADIUS group memberships.
    Table 1. Match Expressions Parameters
    Parameter Description
    AP Location Use the drop-down menu to specify the location of an access point (AP) matched in a Site (RF domain) configuration or the access point‘s resident configuration. Select one of the following filter options:
    • Any — The role is applied to any AP location. This is the default setting.
    • Exact — The role is applied only to APs with the exact location string specified here.
    • Contains — The role is applied only to APs whose location contains the location string specified here.
    • Does Not Contain — The role is applied only to APs whose location does not contain the location string specified here.
    SSID Configuration Use the drop-down menu to define a wireless client filter option based on how the SSID is specified in a WLAN. Select one of the following options:
    • Any — The role is applied to any SSID Location. This is the default setting.
    • Exact — The role is applied only when the exact SSID string is specified here.
    • Contains — The role is applied only when the SSID contains the string specified here.
    • Does Not Contain — The role is applied when the SSID does not contain the string specified here.
    Group Configuration Use the drop-down menu to define a wireless client filter option based on how the RADIUS group name matches the provided expression. Select one of the following options:
    • Any — The role is applied to any RADIUS Group Name. This is the default setting.
    • Exact — The role is applied only when the exact RADIUS Group Name string is specified here.
    • Contains — The role is applied when the RADIUS Group Name contains the string specified here.
    • Does Not Contain — The role is applied when the RADIUS Group Name does not contain the string specified here.
    RADIUS User Use the drop-down menu to define a filter option based on how the RADIUS user name (1-255 characters in length) matches the provided expression. Select one of the following options:
    • Any — The role is applied to any RADIUS user name. This is the default setting.
    • Exact — The role is applied only when the exact RADIUS user string is specified here.
    • Contains — The role is applied when the RADIUS user contains the string specified here.
    • Does Not Contain — The role is applied when the RADIUS user does not contain the string specified here.
    • Starts With — The role is applied when the RADIUS user starts with the string specified here.
    • Ends With — The role is applied when the RADIUS user ends with the string specified here.
  6. Use the Wireless Client Filter parameter to define a wireless client MAC address filter to be applied to this Role.
    The default value Any allows any MAC or MAC Mask address. Disable this parameter to specify a MAC or MAC Mask address.
  7. Set the Captive Portal Connection parameter to define when wireless clients are authenticated when making a captive portal authentication request.

    Secure guest access is referred to as a captive portal. A captive portal is a guest access policy for providing temporary and restrictive access to the wireless network. Existing captive portal policies can be applied to a WLAN to provide secure guest access.

    Use the drop-down menu to select from the following options:

    • Select Any (default) to specify no distinction on whether authentication is conducted before or after the client has logged in.
    • Select Pre-Login to conduct captive portal client authentication before the client is logged in.
    • Select Post-Login to have the client share authentication credentials after it has logged into the network.
  8. Use the Authentication / Encryption field to set the authentication and encryption filters applied to this wireless client role.

    The options for both Authentication and Encryption are as follows:

    • Any (default) — Select to specify that this Role allows any authentication or encryption type.
    • Equals — Select to specify that this Role is applied only when the authentication and encryption types match the exact method(s) specified by your selections. Options include:
      • Authentication
        • None
        • EAP
        • MAC
        • Kerberos
      • Encryption
        • None
        • CCMP
        • TKIP
        • WEB128
        • WEB64
        • Keyguard
    • Not Equals — Select to specify that this Role is applied only when the authentication and encryption type does not match the exact method(s) specified by your selections. Options are as described above.
  9. Select adjacent to LDAP Attributes to expand the display and configure related parameters.
    The following filter criteria apply to each LDAP attribute:
    Any
    Select to specify that this Role is to be applied to any LDAP attribute. This is the default setting.
    Exact
    Select to specify that this Role is to be applied only when the LDAP attribute matches the exact string specified here.
    Contains
    Select to specify that this Role is to be applied only when the LDAP attribute contains the string specified here.
    Does Not Contain
    Select to specify that this Role is to be applied only when the LDAP attribute does not contain the string specified here.

    If you select Exact, Contains, or Does Not Contain criteria, follow the guidelines in LDAP Attributes for Role Filtering to specify LDAP attributes. This Role is applied if the LDAP attributes match your specifications.

    Table 2. LDAP Attributes for Role Filtering
    Attribute Description
    City Enter the name (2–31 characters) of the city.
    Company Enter the name (2–31 characters) of the organizational company.
    Country Enter the name (2–31 characters) of the country.
    Department Enter the name (2–31 characters) of the organizational department.
    Email Enter the Email address (2–31 characters).
    Employee Id Enter the employee ID (2–31 characters).
    State Enter the name of the state (2–31 characters).
    Title Enter the name of the job or organizational title (2–31 characters).
    Member Of Enter a description of the group membership (up to 64 characters).
  10. Select Add to save settings for new configurations, or select Update to save modified settings for existing configurations.

Firewall Rules

A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a firewall can be thought of as mechanisms both blocking and permitting data traffic based on inbound and outbound IP and MAC rules.

IP-based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC.

Additionally, administrators can filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny, or mark designation to packet traffic.

Use this procedure to configure Firewall Rules to apply specifically to this Role.

Note

Note

To configure rules that apply to all Roles, see Configure Default Firewall Rules.
  1. Select the Firewall Rules tab to set Inbound and Outbound IP and MAC Firewall rules.
  2. Set the VLAN ID to a value in the range 1–4094 representing the VLAN used by clients matching the IP or MAC inbound and outbound rules of this policy.
  3. Select the appropriate Application Policy to use with this firewall rule.
    An application policy defines the rules or actions executed on recognized HTTP (Facebook), enterprise (Webex), and peer-to-peer (gaming) applications or application-categories.
  4. Under the IP Inbound or IP Outbound panes:
    1. Select Add.
    2. Choose an IP Firewall Rules Name using the drop-down menu.
    3. Assign the rule Precedence using the spinner control.
      Rules with lower precedence are always applied first to packets.

    Select to remove IP firewall rules.

    If no IP Inbound or Outbound firewall ACL exists, follow the instructions in IPv4 ACL Policy to create one.

  5. Under the IPv6 Inbound or IPv6 Outbound panes:
    1. Select Add.
    2. Choose an IP Firewall Rules Name using the drop-down menu.
    3. Assign the rule Precedence using the spinner control.
      Rules with lower precedence are always applied first to packets.

    Select to remove IP firewall rules.

    If no IPv6 Inbound or Outbound firewall ACL exists, follow the instructions in latest version of the Wireless Controller, Service Platform and Access Point CLI Reference Guide to create one.

  6. Under the MAC Inbound or MAC Outbound panes:
    1. Select Add.
    2. Choose a MAC Firewall Rules Name using the drop-down menu.
    3. Assign the rule Precedence using the spinner control.
      Rules with lower precedence are always applied first to packets.

    Select to remove MAC firewall rules.

    If no MAC Inbound or Outbound firewall ACL exists, follow the instructions in MAC ACL Firewall Policy to create one.

  7. After you have completed configuring the settings, choose from the following actions:
    1. Select Revert to restore default settings or restore the last saved settings.
      Note

      Note

      You cannot restore default settings after applying or saving changes.
    2. Select Apply to commit the configured settings.
      Note

      Note

      This does not permanently save the settings you configured. If you perform a Reload (warm reboot), applied settings will be lost.
    3. Select Save to commit and save the configured settings.
      Note

      Note

      If you do not select Apply or Save, the settings that you configured are not saved when you move away from the configuration window.

9037761-05 Rev AA