458 Configuring AAA for Network Users320657-ASetting the Location PolicyTo enable the location policy function on an WSS switch, you must create at least one location policy rule with one ofthe following commands:set location policy deny if {ssid operator ssid-name | vlan operator vlan-wildcard | useroperator user-wildcard | port port-list | dap dap-num}[before rule-number | modify rule-number]set location policy permit {vlan vlan-name | inacl inacl-name | outacl outacl-name} if{ssid operator ssid-name | vlan operator vlan-wildcard | user operator user-wildcard| port port-list | dap dap-num}[before rule-number | modify rule-number]You must specify whether to permit or deny access, and you must identify a VLAN, username, or access point to match.Use one of the following operators to specify how the rule must match the VLAN or username:• eq—Applies the location policy rule to all users assigned VLAN names matching vlan-wildcard or havingusernames that match user-wildcard.(Like a user wildcard, a VLAN wildcard is a way to group VLANs for use in this command. For moreinformation, see “VLAN Wildcards” on page 40.)• neq—Applies the location policy rule to all users assigned VLAN names not matching vlan-wildcard or havingusernames that do not match user-wildcard.For example, the following command denies network access to all users matching *.theirfirm.com, causing them to failauthorization:23x0# set location policy deny if user eq *.theirfirm.comThe following command authorizes access to the guest_1 VLAN for all users who do not match *.ourfirm.com:23x0# set location policy permit vlan guest_1 if user neq *.ourfirm.comThe following command places all users who are authorized for SSID tempvendor_a into VLAN kiosk_1:23x0# set location policy permit vlan kiosk_1 if ssid eq tempvendor_asuccess: change accepted.Applying Security ACLs in a Location Policy RuleWhen reassigning security ACL filters, specify whether the filter is an input filter or an output filter, as follows:• Input filter—Use inacl inacl-name to filter traffic that enters the switch from users through an AP access point orwired authentication port, or from the network through a network port.• Output filter—Use outacl outacl-name to filter traffic sent from the switch to users through an AP access point orwired authentication port, or from the network through a network port.Note. Asterisks (wildcards) are not supported in SSID names. You must specify thecomplete SSID name.