Configuring Local Policies

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for Configuring Local Policies

  • The policy map attributes supported on the switch are QoS, VLAN, session timeout, and ACL.

  • Apple iphone 6s will get classified as "workstation" after HTTP profiling.

Information About Configuring Local Policies

Local policies can profile devices based on HTTP and DHCP to identify the end devices on the network. Users can configure device-based policies and enforce the policies per user or per device policy on the network.

Local policies allow profiling of mobile devices and basic onboarding of the profiled devices to a specific VLAN. They also assign ACL and QoS or configure session timeouts.

You can configure local policies as two separate components:
  • Defining policy attributes as service templates specific to clients joining the network and applying policy match criteria.
  • Applying match criteria to the policy.
The following policy match attributes are used for configuring local policies:

  • Device—Defines the type of device. Windows-based computer, Smart phone, Apple devices such as iPad and iPhone.

  • Username—Defines the username of the user.

  • User role—Defines the user type or the user group the user belongs to, such as a student or employee.

  • MAC—Defines the mac-address of the end point.

  • MAC OUI—Defines the mac-address OUI.

Once the switch has a match corresponding to these parameters per end point, the policy can be added. Policy enforcement allows basic device on-boarding of mobile devices based on the following session attributes:

  • VLAN

  • QoS

  • ACL

  • Session timeout

You can configure these policies and enforce end points with specified policies. The wireless clients are profiled based on MAC OUI, DHCP, and HTTP user agent (valid Internet is required for successful HTTP profiling). The switch uses these attributes and predefined classification profiles to identify devices.

Replacing Default Profile Text File

If a new device is not classified, contact the Cisco support team with the device MAC address. The Cisco support team will provide a new dc_default_profile.txt file with the MAC address included in the file. You need to replace the dc_default_profile.txt file with the earlier file. Follow these steps to change the dc_default_profile.txt file:
  1. Stop device classifier by entering this command:

    switch(config)# no device classifier

  2. Copy the file by entering this command:

    switch# device classifier profile location filepath

  3. Start the device classifier by entering this command:

    switch(config)# device classifier

Disabling session monitor on trunk ports

On uplink trunk ports, you should not create any session monitoring. By default, session monitoring is enabled. You should disable session monitoring.
  1. Enter into global configuration mode by entering this command:

    switch# configure terminal

  2. Enter into interface configuration mode by entering this command:

    switch(config)# interface interface-id

  3. Disable session monitoring by entering this command:

    switch(config-if)# no access-session monitor

Configuring Local Policies (CLI)

To configure local policies, complete these procedures:

  1. Create a service template.
  2. Create an interface template.
  3. Create a parameter map.
  4. Create a policy map.
  5. Apply a local policy on a WLAN.

Creating a Service Template (CLI)

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global configuration mode.
Step 2

service-template service-template-name

Example:


Switch(config)# service-template cisco-phone-template
Switch(config-service-template)#

Enters service template configuration mode.

Step 3

access-group acl_list

Example:


Switch(config-service-template)# access-group foo-acl

Specifies the access list to be applied.

Step 4

vlan vlan_id

Example:


Switch(config-service-template)# vlan 100

Specifies VLAN ID. You can specify a value from 1 to 4094.

Step 5

absolute-timer seconds

Example:


Switch(config-service-template)# absolute-timer 20

Specifies session timeout value for service template. You can specify a value from 1 to 65535.

Step 6

service-policy qos { input | output}

Example:


Switch(config-service-template)# service-policy qos input foo-qos

Configures QoS policies for the client.

Step 7

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Creating an Interface Template (CLI)

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global configuration mode.
Step 2

template interface-template-name

Example:


Switch(config)# template cisco-phone-template
Switch(config-template)#

Enters interface template configuration mode.

Step 3

switchport mode access

Example:


Switch(config-template)# switchport mode access

Sets the interface as a nontrunking nontagged single-VLAN Ethernet interface. An access port can carry traffic in one VLAN only. By default, an access port carries traffic for VLAN1.

Step 4

switchport voice vlan vlan_id

Example:


Switch(config-template)# switchport voice vlan 20

Specifies to forward all voice traffic through the specified VLAN. You can specify a value from 1 to 4094.

Step 5

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Creating a Parameter Map (CLI)

Parameter map is preferred to use than class map.

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global configuration mode.
Step 2

parameter-map type subscriber attribute-to-service parameter-map-name

Example:


Switch(config)# parameter-map type subscriber attribute-to-service Aironet-Policy-para

Specifies the parameter map type and name.

Step 3

map-index map { device-type | mac-address | oui | user-role | username} { eq | not-eq | regex filter-name }

Example:


Switch(config-parameter-map-filter)# 10 map device-type eq "WindowsXP-Workstation"

Specifies parameter map attribute filter criteria.

Step 4

service-template service-template-name

Example:


Switch(config-parameter-map-filter-submode)# service-template cisco-phone-template
Switch(config-parameter-map-filter-submode)#

Enters service template configuration mode.

Step 5

interface-template interface-template-name

Example:


Switch(config-parameter-map-filter-submode)# interface-template cisco-phone-template
Switch(config-parameter-map-filter-submode)#

Enters service template configuration mode.

Step 6

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Creating a Class Map (CLI)

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global configuration mode.
Step 2

class-map type control subscriber class-map-name { match-all | match-any | match-first }

Example:


Switch(config)# class-map type control subscriber CLASS_AC_1 match-all

Specifies the class map type and name.

Step 3

match { device-type | mac-address | oui | username | userrole} filter-type-name

Example:


Switch(config-class-map)# match device-type Cisco-IP-Phone-7961

Specifies class map attribute filter criteria.

Step 4

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Creating a Policy Map (CLI)

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global configuration mode.
Step 2

policy-map type control subscriber policy-map-name

Example:


Switch(config)# policy-map type control subscriber Aironet-Policy

Specifies the policy map type.

Step 3

event identity-update { match-all | match-first}

Example:


Switch(config-policy-map)# event identity-update match-all

Specifies match criteria to the policy map.

Step 4

class_number class { class_map_name | always } { do-all | do-until-failure | do-until-success}

Example:


Switch(config-class-control-policymap)# 1 class local_policy1_class do-until-success
Configures the local profiling policy class map number and specifies how to perform the action. The class map configuration mode includes the following command options:
  • always —Executes without doing any matching but return success.
  • do-all —Executes all the actions.
  • do-until-failure —Execute all the actions until any match failure is encountered. This is the default value.
  • do-until-success —Execute all the actions until any match success happens.
Step 5

action-index map attribute-to-service table parameter-map-name

Example:


Switch(config-policy-map)# 10 map attribute-to-service table Aironet-Policy-para

Specifies parameter map table to be used.

Step 6

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Applying a Local Policy for a Device on a WLAN (CLI)

Before you begin

If the service policy contains any device type-based rules in the parameter map, ensure that the device classifier is already enabled.


Note

You should use the device classification command to classify the device for it to be displayed correctly on the show command output.

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Switch# configure terminal

Enters global configuration mode.
Step 2

wlan wlan-name

Example:


Switch(config)# wlan wlan1

Enters WLAN configuration mode.

Step 3

service-policy type control subscriber policymapname

Example:

Switch(config-wlan)# service-policy type control subscriber Aironet-Policy

Applies local policy to WLAN.

Step 4

profiling local http (optional)

Example:

Switch(config-wlan)# profiling local http

Enables only profiling of devices based on HTTP protocol (optional).

Step 5

profiling radius http (optional)

Example:

Switch(config-wlan)# profiling radius http

Enables profiling of devices on ISE (optional).

Step 6

no shutdown

Example:

Switch(config-wlan)# no shutdown

Specifies not to shut down the WLAN.

Step 7

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring Local Policies (GUI)

To configure local policies, complete these procedures:
  1. Create a service template.
  2. Create a policy map.
  3. Apply a local policy that you have created to a WLAN.

Creating a Service Template (GUI)

Procedure

Step 1

Choose Configuration > Security > Local Policies > Service Template to open the Service Template page.

Step 2

Create a new template as follows:

  1. Click New to open the Service Template > New page.

  2. In the Service Template name text box, enter the new service template name.

  3. In the VLAN ID text box, enter the VLAN identifier that has to be associated with the policy. The value ranges from 1 to 4094.

  4. In the Session timeout text box, enter the maximum amount of time, in seconds, after which a client is forced to reauthenticate. The value ranges from 1 to 65535 seconds.

  5. From the Access control list drop-down list, choose the access control list to be mapped to the policy.

  6. From the Ingress QoS drop-down list, choose the ingress QoS policy to be applied.

  7. From the Egress QoS drop-down list, choose the egress QoS policy to be applied.

  8. Click Apply to save the configuration.

Step 3

Edit a service template as follows:

  1. From the Service Template page, click the service template to open the Service Template > Edit page.

  2. In the VLAN ID text box, enter the VLAN identifier that has to be associated with the policy. The value ranges from 1 to 4094.

  3. In the Session timeout text box, enter the maximum amount of time, in seconds, after which a client is forced to reauthenticate. The value ranges from 1 to 65535 seconds.

  4. From the Access control list drop-down list, choose the access control list to be mapped to the policy.

  5. From the Ingress QoS drop-down list, choose the ingress QoS policy to be applied.

  6. From the Egress QoS drop-down list, choose the egress QoS policy to be applied.

  7. Click Apply to save the configuration.

Step 4

Remove a service template as follows:

  1. From the Service Template page, select the service template.

  2. Click Remove.

  3. Click Apply to save the configuration.

Creating a Policy Map (GUI)

Procedure

Step 1

Choose Configuration > Security > Local Policies > Policy Map to open the Policy Map page.

Step 2

Create a new policy map as follows:

  1. Click New to open the Policy Map > New page.

  2. In the Policy Map name text box, enter the new policy map name.

  3. Click Add to open the Match Criteria area.

  4. From the Device Type drop-down list, choose the device type. The match criteria for the device type can be eq, not-eq, or regex with respect to the device type you are choosing.

  5. From the User Role drop-down list, select the match criteria as eq, not-eq, or regex and enter the user type or user group of the user, for example, student, teacher, and so on.

  6. From the Service Template drop-down list, choose the service template to be mapped to the policy.

  7. Click Add. The match criteria is added to the Match Criteria Lists.

  8. In the Match Criteria Lists area, click Add to add the match criteria to the policy.

  9. Click Apply to save the configuration.

Step 3

Edit a policy map as follows:

  1. In the Policy Map page, select the policy map that you want to edit, and click Edit to open the Policy Map > Edit page.

  2. In the Match Criteria area, choose the device type from the Device Type drop-down list. The match criteria for the device type can be eq, not-eq, or regex with respect to the device type you are choosing.

  3. In the Match Criteria area, choose the user role from the User Role drop-down list. Select the match criteria as eq, not-eq, or regex and enter the user type or user group of the user

  4. From the Service Template drop-down list, choose the service template to be mapped to the policy.

  5. Click Ok to save the configuration or Cancel to discard the configuration.

  6. Click Add to add more match criteria based on device type, user role, and service template to the policy.

  7. In the Match Criteria Lists area, select the match criteria and click Move to to move the match criteria with respect to a value entered in the row text box.

  8. Select the match criteria and click Move up to move the match criteria up in the list.

  9. Select the match criteria and click Move down to move the match criteria down in the list.

  10. Select the match criteria and click Remove to remove the match criteria from the policy map list.

  11. Click Apply to save the configuration.

Step 4

Remove a policy map as follows:

  1. From the Policy Map page, select the policy map.

  2. Click Remove.

  3. Click Apply to save the configuration.

Applying Local Policies to WLAN (GUI)

Procedure

Step 1

Choose Configuration > Wireless > WLAN to open the WLANs page.

Step 2

Click the corresponding WLAN profile. The WLANs > Edit page is displayed.

Step 3

Click the Policy-Mapping tab.

Step 4

Check the Device Classification check box to enable classification based on device type.

Step 5

From the Local Subscriber Policy drop-down list, choose the policy that has to be applied for the WLAN.

Step 6

Select Local HTTP Profiling to enable profiling on devices based on HTTP (optional).

Step 7

Select Radius HTTP Profiling to enable profiling on devices based on RADIUS (optional).

Step 8

Click Apply to save the configuration.

Monitoring Local Policies

The following commands can be used to monitor local policies configured on the switch.

Table 1. Monitoring Local Policies Command

Command

Purpose

show access-session

Displays the summary of access session with authorization status, method and domain for each client or MAC address displayed.

show access-session cache

Displays the latest classification for the client.

show device classifier attached detail

Displays the latest classification for the client based on parameters such as Mac, DHCP, or HTTP.

show access-session mac mac-address details

Displays the policy mapped, service template used, and attributes for the client.

Note 

If the show access-session detail command output is not displaying session timeout details, you should enable client profiling with session timeout in client access session and then run the show access-session mac mac-address details command to see the session timeout details.

show access-session mac mac-address policy

Displays the policy mapped, service template used, and attributes for the client.

In addition, you can view the Resultant Policy that displays the following information:

  • The final attributes applied to the session when the session has locally configured attributes.

  • Attributes applied from the server.

Examples: Local Policies Configuration

This example shows how to create service template: 

Switch(config)# service-template test3
Switch(config-service-template)# access-group josephacl
Switch(config-service-template)# vlan 137
Switch(config-service-template)# absolute-timer 500
Switch(config-service-template)#  service-policy qos input qosingress
Switch(config-service-template)# end
This example shows how to create parameter map: 

Switch(config)# parameter-map type subscriber attribute-to-service apple-tsim-param
Switch(config-parameter-map)# 1 map device-type eq "Apple-Device"
Switch(config-parameter-map)# 1 service-template test1
Switch(config-parameter-map)# 2 map device-type eq "Apple-Ipad"
Switch(config-parameter-map)# 1 service-template test2
Switch(config-parameter-map)# 3 map device-type eq "Android"
Switch(config-parameter-map)# 1 service-template test3
Switch(config-parameter-map)# end

Note

At the end of each configuration command line, enter CTRL Z to execute the command and proceed to the next line.

This example shows how to create interface template: 

Switch# configure terminal
Switch(config)#template cisco-phone-template
Switch(config-template)#switchport mode access
Switch(config-template)#switchport voice vlan 20
Switch(config-template)# end
This example shows how to create parameter map: 

Switch# configure terminal
Switch(config)#parameter-map type subscriber attribute-to-service param-wired
Switch(config-parameter-map-filter)#10 map device-type regex Cisco-IP-Phone
Switch(config-parameter-map-filter-submode)#10 interface-template cisco-phone-template
Switch(config-parameter-map)# end
This example shows how to create policy map: 

Switch(config)# policy-map type control subscriber apple-tsim
Switch(config-policy-map)# event identity-update match-all
Switch(config-policy-map)# 1 class always do-until-failure
Switch(config-policy-map)# 1 map attribute-to-service table apple-tsim-param
Switch(config-policy-map)# end
This example shows how to apply policy to a device on a WLAN: 

Switch(config)# wlan wlan1
Switch(config-wlan)# client vlan VLAN0054
Switch(config-wlan)# profiling local http
Switch(config-wlan)# service-policy type control subscriber apple-tsim
Switch(config-wlan)# no shutdown
Switch# end

Additional References for Configuring Local Policies

Related Documents

Related Topic Document Title
Security commands

Security Command Reference Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

Standards and RFCs

Standard/RFC Title
None

MIBs

MIB MIBs Link
All supported MIBs for this release.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support

Feature History for Performing Local Policies Configuration

Release Feature Information

Cisco IOS XE 3E

This feature was introduced.