Configuring and managing security ACLs 423Nortel WLAN—Security Switch 2300 Series Configuration GuideMapping user-based security ACLsWhen you configure administrator or user authentication, you can set a Filter-Id authorization attribute at theRADIUS server or at the WSS’s local database. The Filter-Id attribute is a security ACL name with thedirection of the packets appended—for example, acl-name.in or acl-name.out. The security ACL mapped byFilter-Id instructs the WSS to use its local definition of the ACL, including the flow direction, to filter packetsfor the authenticated user.To map a security ACL to a user session, follow these steps:1 Create the security ACL. For example, to filter packets coming from 192.168.253.1 and goingto 192.168.253.12, type the following command:WSS# set security acl ip acl-222 permit ip 192.168.253.1 0.0.0.0 198.168.253.120.0.0.0 hits2 Commit the security ACL to the running configuration. For example, to commit acl-222, typethe following command:WSS# commit security acl acl-222success: change accepted.3 Apply the Filter-Id authentication attribute to a user’s session via an external RADIUS server.For instructions, see the documentation for your RADIUS server.4 Alternatively, authenticate the user with the Filter-Id attribute in the WSS’s local database. Useone of the following commands. Specify .in for incoming packets or .out for outgoing packets.When assigned the Filter-Id attribute, an authenticated user with a current session receivespackets based on the security ACL. For example, to restrict incoming packets for Natasha tothose specified in acl-222, type the following command:WSS# set user Natasha attr filter-id acl-222.insuccess: change accepted.Note. The Filter-Id attribute is more often received by the WSS through an external AAARADIUS server than applied through the local database.Note. If the Filter-Id value returned through the authentication and authorizationprocess does not match the name of a committed security ACL in the WSS, theuser fails authorization and cannot be authenticated.Mapping Target CommandsUser authenticated by apassword set user username attr filter-id acl-name.inset user username attr filter-id acl-name.outUser authenticated by aMAC addressset mac-user username attr filter-id acl-name.inset mac-user username attr filter-id acl-name.out