use (wlan-config-mode)

This command associates an existing captive portal and other policies with a WLAN.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

use [aaa-policy|application-policy|association-acl-policy|bonjour-gw-discovery-policy|
captive-portal|ip-access-list|ipv6-access-list|mac-access-list|passpoint-policy|
purview-application-policy|roaming-assist-policy|url-filter|wlan-qos-policy]
use [aaa-policy <AAA-POLICY-NAME>|application-policy <APP-POLICY-NAME>|
association-acl-policy <ASSOCIATION-POLICY-NAME>|bonjour-gw-discovery-policy <POLICY-NAME>|
captive-portal <CAPTIVE-PORTAL-NAME>|passpoint-policy <PASSPOINT-POLICY-NAME>|
purview-application-policy <POLICY-NAME>|roaming-assist-policy <POLICY-NAME>|
url-filter <URL-FILTER-NAME>|wlan-qos-policy <WLAN-QOS-POLICY-NAME>]
use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>
use ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>
use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>

Parameters

use [aaa-policy <AAA-POLICY-NAME>|application-policy <APP-POLICY-NAME>|
association-acl-policy <ASSOCIATION-POLICY-NAME>|bonjour-gw-discovery-policy <POLICY-NAME>|
captive-portal <CAPTIVE-PORTAL-NAME>|passpoint-policy <PASSPOINT-POLICY-NAME>|
purview-application-policy <POLICY-NAME>|roaming-assist-policy <POLICY-NAME>|
url-filter <URL-FILTER-NAME>|wlan-qos-policy <WLAN-QOS-POLICY-NAME>]
aaa-policy <AAA-POLICY-NAME> Uses an existing AAA policy with a WLAN
  • <AAA-POLICY-NAME> – Specify the AAA policy name.
association-acl <ASSOCIATION-POLICY-NAME> Uses an existing association ACL policy with a WLAN
  • <ASSOCIATION-POLICY-NAME> – Specify the association ACL policy name.
application-policy <APP-POLICY-NAME> Uses an existing application policy with the WLAN. WLAN traffic is inspected and access control and quality of service actions applied based on the rules defined in the application policy.
  • <APP-POLICY-NAME> - Specify the Application policy name. The policy should be existing and configured.
Note: The WiNG 5.9.X enabled devices use a third-party, DPI engine to detect pre-defined application definitions. To enable AVC and app-usage stats reporting in a WiNG 5.9.X network, see application-group and application-policy.
bonjour-gw-discovery-policy <POLICY-NAME> Uses an existing Bonjour GW Discovery policy with a WLAN. When associated, the Bonjour GW Discovery policy defines a list of Apple services clients can discover across subnets.

Bonjour enables discovery of services on a LAN. Bonjour allows the setting up a network (without any configuration) in which services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains.

  • <POLICY-NAME> – Specify the Bonjour GW Discovery policy name. Should be existing and configured.
captive-portal <CAPTIVE-PORTAL-NAME> Specifies the captive-portal policy to use if enforcing captive-portal authentication on this WLAN
  • <CAPTIVE-PORTAL-NAME> – Specify the captive-portal policy name. Should be existing and configured.
passpoint-policy <PASSPOINT-POLICY-NAME> Associates a passpoint policy (Hotspot2 configuration) with this WLAN.
  • <PASSPOINT-POLICY-NAME> – Specify the Passpoint policy name. Should be existing and configured.

Map a passpoint policy to a WLAN. Since the configuration gets applied to the radio by BSS, only the Hotspot 2.0 configuration of primary WLANs on a BSSID is used. Incoming Hotspot 2.0 GAQ/ANQP requests from clients are identified by their destination MAC addresses and are handled by the passpoint policy from the primary WLAN on that BSS.

Define one passpoint policy for every WLAN configured.

purview-application-policy <PURVIEW-APP-POLICY-NAME> Uses an existing Purview application policy with the WLAN. WLAN traffic is inspected and access control and quality of service actions applied based on the rules defined in the Purview application policy.
  • <PURVIEW-APP-POLICY-NAME> - Specify the Purview Application policy name. The policy should be existing and configured.
Note: The WiNG 7.1.X enabled devices use Extreme Networks' EAA (Extreme Application Analytics) (Purview™) DPI engine to detect pre-defined application definitions. To enable AVC in a WiNG 7.1.X network, see purview-application-group and purview-application-policy.
roaming-assist-policy <POLICY-NAME> Associates an existing roaming assist policy with this WLAN
  • <POLICY-NAME> – Specify the Roaming Assist policy name. Should be existing and configured.
url-filter <URL-FILTER-NAME> Associates an existing URL list with this WLAN
  • <URL-FILTER-NAME> – Specify the URL filter name. Should be existing and configured.
wlan-qos-policy <WLAN-QOS-POLICY-NAME> Uses an existing WLAN QoS policy with a WLAN
  • <WLAN-QOS-POLICY-NAME> – Specify the WLAN QoS policy name. Should be existing and configured.
use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>
ip-access-list [in|out] <IP-ACCESS-LIST-NAME> Applies an IP access list to incoming and outgoing packets
  • in – Applies the IP ACL to incoming packets
  • out – Applies IP ACL to outgoing packets
    • <IP-ACCESS-LIST-NAME> – Specify the IP access list name.
use ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>
ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME> Applies an IPv6 access list to incoming and outgoing packets
  • in – Applies the IPv6 ACL to incoming packets
  • out – Applies IPv6 ACL to outgoing packets
    • <IPv6-ACCESS-LIST-NAME> – Specify the IPv6 access list name.
use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>
mac-access-list [in|out] <MAC-ACCESS-LIST-NAME> Applies a MAC access list to incoming and outgoing packets.
  • in – Applies the MAC ACL to incoming packets
  • out – Applies MAC ACL to outgoing packets
    • <MAC-ACCESS-LIST-NAME> – Specify the MAC access list name.

Usage Guidelines

IP and MAC ACLs act as firewalls within a WLAN. WLANs use ACLs as firewalls to filter or mark packets based on the WLAN from which they arrive, as opposed to filtering packets on layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies a set of conditions (rules) and the action taken in case of a match. The action can be permit, deny, or mark. Therefore, when a packet matches an ACE‘s conditions, it is either forwarded, dropped, or marked depending on the action specified in the ACE. The order of conditions in the list is critical since filtering is stopped after the first match.

IP ACLs contain deny and permit rules specifying source and destination IP addresses. Each rule has a precedence order assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC.

Additionally, you can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny, or mark designation to WLAN packet traffic.

Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface.

Examples

nx9500-6C8809(config-wlan-test)#use aaa-policy test
nx9500-6C8809(config-wlan-test)#use association-acl-policy test
nx9500-6C8809(config-wlan-test)#show context
wlan test
 ssid testWLAN1
 bridging-mode local
 encryption-type none
 authentication-type none
 protected-mgmt-frames mandatory
 radius vlan-assignment
 time-based-access days weekdays start 10:00 end 16:30
 wing-extensions wmm-load-information
 client-load-balancing probe-req-intvl 5ghz 5
 client-load-balancing band-discovery-intvl 2
 use aaa-policy test
 use association-acl-policy test
 acl exceed-rate wireless-client-denied-traffic 20 disassociate
 proxy-arp-mode strict
 broadcast-dhcp validate-offer
 shutdown on-unadoption
 http-analyze controller
nx9500-6C8809(config-wlan-test)#
nx9500-6C8809(config-wlan-ipad_clients)#use bonjour-gw-discovery-policy generic
nx9500-6C8809(config-wlan-ipad_clients)#show context
wlan ipad_clients
 ssid ipad_clients
 vlan 41
 bridging-mode local
 encryption-type none
 authentication-type none
 use bonjour-gw-discovery-policy generic
nx9500-6C8809(config-wlan-ipad_clients)#

Related Commands

no (wlan-config-mode) Removes the following policies associated with a WLAN: aaa-policy, application-policy, association-acl-policy, bonjour-gw-discovery-policy, captive-portal, ip-access-list, ipv6-access-list, mac-access-list, passpoint-policy, roaming-assist-policy, url-filter, or wlan-qos-policy.