Preface
- Text Conventions
- Platform-Dependent Conventions
- Providing Feedback to Us
- Getting Help
- Documentation and Training
About This Guide
- ABOUT THIS GUIDE
  - Notational Conventions
Introduction
- WiNG CLI Structure
User Exec Mode Commands
- USER EXEC MODE COMMANDS
  - user-exec-commands
Privileged Exec Mode Commands
- PRIVILEGED EXEC MODE COMMANDS
  - privileged-exec-commands
Global Configuration Mode Commands
- GLOBAL CONFIGURATION COMMANDS
  - global-config-commands
Common Commands
- COMMON COMMANDS
  - common-commands
    - clrscr
    - commit
    - exit
    - help
    - no
    - revert
    - service
    - show
    - write
Show Commands
- SHOW COMMANDS
  - show-commands
    - show
    - adoption
    - bluetooth
    - boot
    - bonjour
    - captive-portal
    - captive-portal-page-upload (show commands)
    - cdp
    - classify-url
    - clock
    - cluster
    - cmp-factory-certs
    - commands
    - context
    - critical-resources
    - crypto
    - database
    - device-upgrade
    - dot1x
    - dpi
    - environmental-sensor
    - event-history
    - event-system-policy
    - ex3500
    - extdev
    - fabric-attach
    - file
    - file-sync
    - firewall
    - global
    - gps (show command)
    - gre
    - guest-registration
    - interface
    - iot-device-type-imagotag
    - ip
    - ip-access-list-stats
    - ipv6
    - ipv6-access-list
    - l2tpv3
    - lacp
    - ldap-agent
    - licenses
    - lldp
    - logging
    - mac-access-list-stats
    - mac-address-table
    - macauth
    - mac-auth-clients
    - mint
    - ntp
    - password-encryption
    - pppoe-client
    - privilege
    - radius
    - reload
    - rf-domain-manager
    - role
    - route-maps
    - rtls
    - running-config
    - session-changes
    - session-config
    - sessions
    - site-config-diff
    - smart-rf
    - snmpv3 (show command)
    - spanning-tree
    - startup-config
    - t5
    - terminal
    - timezone
    - traffic-shape
    - tron (show command)
    - upgrade-status
    - version
    - vrrp
    - virtual-machine
    - wireless
    - web-filter
    - what
    - wwan
Profile Commands
- PROFILES
AAA Policy
- AAA-POLICY
  - aaa-policy-commands
Auto-Provisioning Policy
- AUTO-PROVISIONING-POLICY
  - auto-provisioning-policy-commands
Association-ACL Policy
- ASSOCIATION-ACL-POLICY
  - Association-acl-policy-commands
    - deny
    - permit
    - no
Access-List Policy
- ACCESS-LIST
DHCP Policy
- DHCP-SERVER-POLICY
  - dhcp-server-policy commands
  - dhcpv6-server-policy commands
Firewall Policy
- FIREWALL-POLICY
  - firewall-policy-commands
    - acl-logging
    - alg
    - clamp
    - dhcp-offer-convert
    - dns-snoop
    - firewall
    - flow
    - ip
    - ip-mac
    - ipv6
    - ipv6-mac
    - logging
    - proxy-arp
    - proxy-nd
    - stateful-packet-inspection-12
    - storm-control
    - virtual-defragmentation
    - no
MiNT Policy
- MINT-POLICY
  - mint-policy-commands
    - level
    - lsp
    - mtu
    - router
    - udp
    - no
Management Policy
- MANAGEMENT-POLICY
  - management-policy-commands
RADIUS Policy
- RADIUS-POLICY
  - radius-group
    - guest
    - policy
    - rate-limit
    - no
  - radius-server-policy
    - authentication
    - bypass
    - chase-referral
    - crl-check
    - ldap-agent
    - ldap-group-verification
    - ldap-server
    - local
    - nas
    - proxy
    - session-resumption
    - termination
    - use
    - no
  - radius-user-pool-policy
    - duration
    - user
    - no
Radio QoS Policy
- RADIO-QOS-POLICY
  - radio-qos-policy-commands
Role Policy
- ROLE-POLICY
  - role-policy-commands
Smart-RF Policy
- SMART-RF-POLICY
  - smart-rf-policy commands
WIPS Policy
- WIPS-POLICY
  - wips-policy-commands
WLAN QoS Policy
- WLAN-QOS-POLICY
  - WLAN-QOS-Policy commands
L2TPv3 Policy
- L2TPV3-POLICY
Router Mode Commands
- ROUTER-MODE
  - router-mode-commands
Routing Policy
- ROUTING-POLICY
  - routing-policy-commands
AAA_TACACS Policy
- AAA-TACACS-POLICY
  - aaa-tacacs-policy-commands
Meshpoint Policy
- MESHPOINT
Passpoint Policy
- PASSPOINT POLICY
  - passpoint-policy
Crypto-CMP Policy
- CRYPTO-CMP-POLICY
  - crypto-cmp-policy-instance
  - other-cmp-related-commands
    - use (other-cmp-related-commands)
    - show (other-cmp-related-commands)
Roaming-Assist Policy
- ROAMING ASSIST POLICY
  - roaming-assist-policy commands
Border Gateway Policy
- BORDER GATEWAY PROTOCOL
Controller Managed WLAN Use Case
- CREATING A FIRST CONTROLLER MANAGED WLAN

allowed-locations

Configures an allowed-locations tag and associates locations (RF Domains/sites/tree-node paths) with the tag. In the management policy, create an allowed-locations tag and associate it with a user to restrict the user's access to the locations associated with the tag.

Note

The allowed-locations tag is ONLY applicable to the WiNG 'device-provisioning-admin' user. By applying the allowed-locations tag, the device provisioning user will only be able to provision devices that fall within his/her purview of responsibility.

Note

However, if you are an NSight admin and you are using WiNG 5.9.2 and earlier version, you can apply the Allowed Locations tag for all NSight user roles.

Supported in the following platforms:

Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8163, AP8432, AP8533
Wireless Controller — RFS4010
Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

allowed-locations <WORD> locations [NONE|ALL|<LIST-OF-LOCATIONS>]

Parameters

allowed-locations <WORD> locations [NONE|ALL|<LIST-OF-LOCATIONS>]

allowed-locations <WORD>

Configures a location tag and associates a single or multiple locations (RF Domains/sites/tree-node paths) with the tag

<WORD> – Provide a location tag name not exceeding 32 characters in length. The name should be user-friendly and should easily identify the associated locations.

locations [NONE|ALL| <LIST-OF-LOCATIONS>]

Associates locations with the above created location tag

NONE – Use this option to specify that this allowed-locations tag has no associated locations. Users associated with this location tag will have access to none of the RF Domains/sites/tree-node paths defined within your managed network.
ALL – Use this option to specify that this allowed-locations tag is associated with all locations within your managed network. Users associated with this location tag will have access to all RF Domains/sites/tree-node paths defined within your managed network.
<LIST-OF-LOCATIONS> – Use this option to associate a list of locations with this allowed-locations tag. You can associate a single RF Domain or multiple RF Domains (for example, test1 test2 test3). You can also define the location as a single tree-node path (for example, /US/CA/SJ/Site-1) or multiple tree-node paths (for example, /US/CA/SJ/SJSite-1 /US/CA/LA/LACampus-1).Users associated with this location tag will have access only to RF Domains or sites associated with this tag.

Note:

After configuring the allowed locations tag, use the user command to associate this tag with a device-provisioning-admin user. Once associated, the device-provisioning-admin user will have access only to the RF Domains/sites associated with this tag.

Example

nx9500-6C8809(config-management-policy-test)#allowed-locations TechPubs locations /US/CA/SJ/TechPubs

nx9500-6C8809(config-management-policy-test)#allowed-locations TEST locations NONE

nx9500-6C8809(config-management-policy-test)#show context
management-policy test
 telnet
 no http server
 https server
 ssh
 user admin password 1 superuser role superuser access all
 allowed-location TEST locations NONE
 allowed-location TechPubs locations /US/CA/SJ/TechPubs
nx9500-6C8809(config-management-policy-test)#

An allowed-locations tag can be associated with multiple RF Domains, as shown in the following example:

nx9500-6C8809(config-management-policy-test1)#show context
management-policy test1
 telnet
 no http server
 https server
 ssh
 user admin1 password 1 superuser1 role superuser access all
 user dev-admin1 password 1 dev-admin1 role device-provisioning-admin access all allowed-locations SanJose                                                          e
 allowed-location TEST locations None
 allowed-location TechPubs locations /US/CA/SJ/TechPubs
 allowed-location SanJose locations test1 test2 test3
nx9500-6C8809(config-management-policy-test1)#

An allowed-locations tag can be associated with multiple tree-node paths as shown in the following example:

nx9500-6C8809(config-management-policy-test2)#show context
management-policy test2
 telnet
 no http server
 https server
 ssh
 user admin2 password 1 superuser2 role superuser access all
 user dev-admin2 password 1 dev-admin2 role device-provisioning-admin access allowed-locations California
 allowed-location California locations /US/CA/SJ/SJEngineering /US/CA/LA/LAEngineering
nx9500-6C8809(config-management-policy-test2)#

Note

For more information on configuring tree-node on an RF Domain, refer to tree-node.

Related Commands

no	Removes an allowed-locations configuration

Published August 2019prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback