- Preface
- Using the Command-Line Interface
- Configuring Cisco IOS Configuration Engine
- Configuring the Cisco Discovery Protocol
- Configuring Simple Network Management Protocol
- Configuring Cache Services Using the Web Cache Communication Protocol
- Configuring Service Level Agreements
- Configuring Local Policies
- Configuring SPAN and RSPAN
- Configuring Wireshark
- Index
- Finding Feature Information
- Restrictions for Configuring Local Policies
- Information About Configuring Local Policies
Configuring Local Policies
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Configuring Local Policies
The policy map attributes supported on the switch are QoS, VLAN, session timeout, and ACL.
Information About Configuring Local Policies
Local policies can profile devices based on HTTP and DHCP to identify the end devices on the network. Users can configure device-based policies and enforce the policies per user or per device policy on the network.
Local policies allow profiling of mobile devices and basic onboarding of the profiled devices to a specific VLAN. They also assign ACL and QoS or configure session timeouts.
-
Device—Defines the type of device. Windows-based computer, Smart phone, Apple devices such as iPad and iPhone.
-
Username—Defines the username of the user.
-
User role—Defines the user type or the user group the user belongs to, such as a student or employee.
-
MAC—Defines the mac-address of the end point.
-
MAC OUI—Defines the mac-address OUI.
You can configure these policies and enforce end points with specified policies. The wireless clients are profiled based on MAC OUI, DHCP, and HTTP user agent (valid Internet is required for successful HTTP profiling)MAC OUI and DHCP. The switch uses these attributes and predefined classification profiles to identify devices.
Replacing Default Profile Text File
Disabling session monitor on trunk ports
Configuring Local Policies (CLI)
To configure local policies, complete these procedures:
Creating a Service Template (CLI)
Creating an Interface Template (CLI)
Creating a Parameter Map (CLI)
Parameter map is preferred to use than class map.
Creating a Class Map (CLI)
Creating a Policy Map (CLI)
Applying a Local Policy for a Device on a WLAN (CLI)
If the service policy contains any device type-based rules in the parameter map, ensure that the device classifier is already enabled.
Configuring Local Policies (GUI)
Creating a Service Template (GUI)
Creating a Policy Map (GUI)
Applying Local Policies to WLAN (GUI)
Monitoring Local Policies
The following commands can be used to monitor local policies configured on the switch.
Command |
Purpose |
show access-session |
Displays the summary of access session with authorization status, method and domain for each client or MAC address displayed. |
show access-session cache |
Displays the latest classification for the client. |
show device classifier attached detail |
Displays the latest classification for the client based on parameters such as Mac, DHCP, or HTTP. |
show access-session mac mac-address details |
Displays the policy mapped, service template used, and attributes for the client. |
show access-session mac mac-address policy |
Displays the policy mapped, service template used, and attributes for the client. |
Examples: Local Policies Configuration
Switch(config)# service-template test3 Switch(config-service-template)# access-group josephacl Switch(config-service-template)# vlan 137 Switch(config-service-template)# absolute-timer 500 Switch(config-service-template)# service-policy qos input qosingress Switch(config-service-template)# end
Switch(config)# parameter-map type subscriber attribute-to-service apple-tsim-param Switch(config-parameter-map)# 1 map device-type eq "Apple-Device" Switch(config-parameter-map)# 1 service-template test1 Switch(config-parameter-map)# 2 map device-type eq "Apple-Ipad" Switch(config-parameter-map)# 1 service-template test2 Switch(config-parameter-map)# 3 map device-type eq "Android" Switch(config-parameter-map)# 1 service-template test3 Switch(config-parameter-map)# end
Note | At the end of each configuration command line, enter CTRL Z to execute the command and proceed to the next line. |
Switch# configure terminal Switch(config)#template cisco-phone-template Switch(config-template)#switchport mode access Switch(config-template)#switchport voice vlan 20 Switch(config-template)# end
Switch# configure terminal Switch(config)#parameter-map type subscriber attribute-to-service param-wired Switch(config-parameter-map-filter)#10 map device-type regex Cisco-IP-Phone Switch(config-parameter-map-filter-submode)#10 interface-template cisco-phone-template Switch(config-parameter-map)# end
Switch(config)# policy-map type control subscriber apple-tsim Switch(config-policy-map)# event identity-update match-all Switch(config-policy-map)# 1 class always do-until-failure Switch(config-policy-map)# 1 map attribute-to-service table apple-tsim-param Switch(config-policy-map)# end
Switch(config)# wlan wlan1 Switch(config-wlan)# client vlan VLAN0054 Switch(config-wlan)# profiling local http Switch(config-wlan)# service-policy type control subscriber apple-tsim Switch(config-wlan)# no shutdown Switch# end
Additional References for Configuring Local Policies
Related Documents
Related Topic | Document Title |
---|---|
Security commands |
Security Command Reference Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series) |
Standards and RFCs
Standard/RFC | Title |
---|---|
None |
— |
MIBs
MIB | MIBs Link |
---|---|
All supported MIBs for this release. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature History for Performing Local Policies Configuration
Release | Feature Information |
---|---|
Cisco IOS XE 3E |
This feature was introduced. |