Configuring Local Policies

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Configuring Local Policies

The policy map attributes supported on the switch are QoS, VLAN, session timeout, and ACL.

Related Concepts
Information About Configuring Local Policies
Related Tasks
Creating a Parameter Map (CLI)
Creating a Class Map (CLI)
Creating a Policy Map (CLI)
Applying a Local Policy for a Device on a WLAN (CLI)
Creating an Interface Template (CLI)
Creating a Service Template (GUI)
Creating a Policy Map (GUI)
Applying Local Policies to WLAN (GUI)

Information About Configuring Local Policies

Local policies can profile devices based on HTTP and DHCP to identify the end devices on the network. Users can configure device-based policies and enforce the policies per user or per device policy on the network.

Local policies allow profiling of mobile devices and basic onboarding of the profiled devices to a specific VLAN. They also assign ACL and QoS or configure session timeouts.

You can configure local policies as two separate components:
  • Defining policy attributes as service templates specific to clients joining the network and applying policy match criteria.
  • Applying match criteria to the policy.
The following policy match attributes are used for configuring local policies:

  • Device—Defines the type of device. Windows-based computer, Smart phone, Apple devices such as iPad and iPhone.

  • Username—Defines the username of the user.

  • User role—Defines the user type or the user group the user belongs to, such as a student or employee.

  • MAC—Defines the mac-address of the end point.

  • MAC OUI—Defines the mac-address OUI.

Once the switch has a match corresponding to these parameters per end point, the policy can be added. Policy enforcement allows basic device on-boarding of mobile devices based on the following session attributes:

  • VLAN

  • QoS

  • ACL

  • Session timeout

You can configure these policies and enforce end points with specified policies. The wireless clients are profiled based on MAC OUI, DHCP, and HTTP user agent (valid Internet is required for successful HTTP profiling). The switch uses these attributes and predefined classification profiles to identify devices.

Replacing Default Profile Text File

If a new device is not classified, contact the Cisco support team with the device MAC address. The Cisco support team will provide a new dc_default_profile.txt file with the MAC address included in the file. You need to replace the dc_default_profile.txt file with the earlier file. Follow these steps to change the dc_default_profile.txt file:
  1. Stop device classifier by entering this command:

    switch(config)# no device classifier

  2. Copy the file by entering this command:

    switch# device classifier profile location filepath

  3. Start the device classifier by entering this command:

    switch(config)# device classifier

Disabling session monitor on trunk ports

On uplink trunk ports, you should not create any session monitoring. By default, session monitoring is enabled. You should disable session monitoring.
  1. Enter into global configuration mode by entering this command:

    switch# configure terminal

  2. Enter into interface configuration mode by entering this command:

    switch(config)# interface interface-id

  3. Disable session monitoring by entering this command:

    switch(config-if)# no access-session monitor

Related Tasks
Creating a Parameter Map (CLI)
Creating a Class Map (CLI)
Creating a Policy Map (CLI)
Applying a Local Policy for a Device on a WLAN (CLI)
Creating an Interface Template (CLI)
Creating a Service Template (GUI)
Creating a Policy Map (GUI)
Applying Local Policies to WLAN (GUI)
Related References
Restrictions for Configuring Local Policies
Monitoring Local Policies
Examples: Local Policies Configuration

Configuring Local Policies (CLI)

To configure local policies, complete these procedures:

  1. Create a service template.
  2. Create an interface template.
  3. Create a parameter map.
  4. Create a policy map.
  5. Apply a local policy on a WLAN.

Creating a Service Template (CLI)

     Command or ActionPurpose
    Step 1 configure terminal


    Example: 
    Switch# configure terminal
     

    Enters global configuration mode.

     
    Step 2 service-template service-template-name


    Example: 
    Switch(config)# service-template cisco-phone-template
Switch(config-service-template)#
     

    Enters service template configuration mode.

     
    Step 3access-group acl_list


    Example: 
    Switch(config-service-template)# access-group foo-acl
     

    Specifies the access list to be applied.

     
    Step 4vlan vlan_id


    Example: 
    Switch(config-service-template)# vlan 100
     

    Specifies VLAN ID. You can specify a value from 1 to 4094.

     
    Step 5absolute-timer seconds


    Example: 
    Switch(config-service-template)# absolute-timer 20
     

    Specifies session timeout value for service template. You can specify a value from 1 to 65535.

     
    Step 6service-policy qos {input | output}


    Example: 
    Switch(config-service-template)# service-policy qos input foo-qos
     

    Configures QoS policies for the client.

     
    Step 7end


    Example:
    Switch(config)# end
     

    Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

     

    Creating an Interface Template (CLI)

       Command or ActionPurpose
      Step 1 configure terminal


      Example: 
      Switch# configure terminal
       

      Enters global configuration mode.

       
      Step 2 template interface-template-name


      Example: 
      Switch(config)# template cisco-phone-template
Switch(config-template)#
       

      Enters interface template configuration mode.

       
      Step 3switchport mode access


      Example: 
      Switch(config-template)# switchport mode access
       

      Sets the interface as a nontrunking nontagged single-VLAN Ethernet interface. An access port can carry traffic in one VLAN only. By default, an access port carries traffic for VLAN1.

       
      Step 4switchport voice vlan vlan_id


      Example: 
      Switch(config-template)# switchport voice vlan 20
       

      Specifies to forward all voice traffic through the specified VLAN. You can specify a value from 1 to 4094.

       
      Step 5end


      Example:
      Switch(config)# end
       

      Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

       
      Related Concepts
      Information About Configuring Local Policies
      Related References
      Restrictions for Configuring Local Policies
      Monitoring Local Policies
      Examples: Local Policies Configuration

      Creating a Parameter Map (CLI)

      Parameter map is preferred to use than class map.

         Command or ActionPurpose
        Step 1 configure terminal


        Example: 
        Switch# configure terminal
         

        Enters global configuration mode.

         
        Step 2parameter-map type subscriber attribute-to-service parameter-map-name


        Example: 
        Switch(config)# parameter-map type subscriber attribute-to-service Aironet-Policy-para
         

        Specifies the parameter map type and name.

         
        Step 3map-index map { device-type | mac-address | oui | user-role | username} {eq | not-eq | regex filter-name }


        Example: 
        Switch(config-parameter-map-filter)# 10 map device-type eq "WindowsXP-Workstation"
         

        Specifies parameter map attribute filter criteria.

         
        Step 4 service-template service-template-name


        Example: 
        Switch(config-parameter-map-filter-submode)# service-template cisco-phone-template
Switch(config-parameter-map-filter-submode)#
         

        Enters service template configuration mode.

         
        Step 5 interface-template interface-template-name


        Example: 
        Switch(config-parameter-map-filter-submode)# interface-template cisco-phone-template
Switch(config-parameter-map-filter-submode)#
         

        Enters service template configuration mode.

         
        Step 6end


        Example:
        Switch(config)# end
         

        Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

         
        Related Concepts
        Information About Configuring Local Policies
        Related References
        Restrictions for Configuring Local Policies
        Monitoring Local Policies
        Examples: Local Policies Configuration

        Creating a Class Map (CLI)

           Command or ActionPurpose
          Step 1 configure terminal


          Example: 
          Switch# configure terminal
           

          Enters global configuration mode.

           
          Step 2class-map type control subscriber class-map-name { match-all | match-any | match-first }


          Example: 
          Switch(config)# class-map type control subscriber CLASS_AC_1 match-all
           

          Specifies the class map type and name.

           
          Step 3 match {device-type | mac-address | oui | username | userrole} filter-type-name


          Example: 
          Switch(config-class-map)# match device-type Cisco-IP-Phone-7961
           

          Specifies class map attribute filter criteria.

           
          Step 4end


          Example:
          Switch(config)# end
           

          Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

           
          Related Concepts
          Information About Configuring Local Policies
          Related References
          Restrictions for Configuring Local Policies
          Monitoring Local Policies
          Examples: Local Policies Configuration

          Creating a Policy Map (CLI)

             Command or ActionPurpose
            Step 1 configure terminal


            Example: 
            Switch# configure terminal
             

            Enters global configuration mode.

             
            Step 2policy-map type control subscriber policy-map-name


            Example: 
            Switch(config)# policy-map type control subscriber Aironet-Policy
             

            Specifies the policy map type.

             
            Step 3event identity-update {match-all | match-first}


            Example: 
            Switch(config-policy-map)# event identity-update match-all
             

            Specifies match criteria to the policy map.

             
            Step 4class_number class {class_map_name | always } {do-all | do-until-failure | do-until-success}


            Example: 
            Switch(config-class-control-policymap)# 1 class local_policy1_class do-until-success
                          		Configures the local profiling policy class map number and specifies how to perform the action. The class map configuration mode includes the following command options:
            • always—Executes without doing any matching but return success.
            • do-all—Executes all the actions.
            • do-until-failure—Execute all the actions until any match failure is encountered. This is the default value.
            • do-until-success—Execute all the actions until any match success happens.
             
            Step 5 action-index map attribute-to-service table parameter-map-name


            Example: 
            Switch(config-policy-map)# 10 map attribute-to-service table Aironet-Policy-para
             

            Specifies parameter map table to be used.

             
            Step 6end


            Example:
            Switch(config)# end
             

            Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

             
            Related Concepts
            Information About Configuring Local Policies
            Related References
            Restrictions for Configuring Local Policies
            Monitoring Local Policies
            Examples: Local Policies Configuration

            Applying a Local Policy for a Device on a WLAN (CLI)

            Before You Begin

            If the service policy contains any device type-based rules in the parameter map, ensure that the device classifier is already enabled.

               Command or ActionPurpose
              Step 1 configure terminal


              Example: 
              Switch# configure terminal
               

              Enters global configuration mode.

               
              Step 2 wlan wlan-name


              Example: 
              Switch(config)# wlan wlan1
               

              Enters WLAN configuration mode.

               
              Step 3 service-policy type control subscriber policymapname


              Example: 
              Switch(config-wlan)# service-policy type control subscriber Aironet-Policy
               

              Applies local policy to WLAN.

               
              Step 4 profiling local http (optional)


              Example: 
              Switch(config-wlan)# profiling local http
               

              Enables only profiling of devices based on HTTP protocol (optional).

               
              Step 5 profiling radius http (optional)


              Example: 
              Switch(config-wlan)# profiling radius http
               

              Enables profiling of devices on ISE (optional).

               
              Step 6 no shutdown


              Example: 
              Switch(config-wlan)# no shutdown
               

              Specifies not to shut down the WLAN.

               
              Step 7end


              Example:
              Switch(config)# end
               

              Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

               
              Related Concepts
              Information About Configuring Local Policies
              Related References
              Restrictions for Configuring Local Policies
              Monitoring Local Policies
              Examples: Local Policies Configuration

              Configuring Local Policies (GUI)

              To configure local policies, complete these procedures:
              1. Create a service template.
              2. Create a policy map.
              3. Apply a local policy that you have created to a WLAN.

              Creating a Service Template (GUI)

                Step 1   Choose Configuration > Security > Local Policies > Service Template to open the Service Template page.
                Step 2   Create a new template as follows:
                1. Click New to open the Service Template > New page.
                2. In the Service Template name text box, enter the new service template name.
                3. In the VLAN ID text box, enter the VLAN identifier that has to be associated with the policy. The value ranges from 1 to 4094.
                4. In the Session timeout text box, enter the maximum amount of time, in seconds, after which a client is forced to reauthenticate. The value ranges from 1 to 65535 seconds.
                5. From the Access control list drop-down list, choose the access control list to be mapped to the policy.
                6. From the Ingress QoS drop-down list, choose the ingress QoS policy to be applied.
                7. From the Egress QoS drop-down list, choose the egress QoS policy to be applied.
                8. Click Apply to save the configuration.
                Step 3   Edit a service template as follows:
                1. From the Service Template page, click the service template to open the Service Template > Edit page.
                2. In the VLAN ID text box, enter the VLAN identifier that has to be associated with the policy. The value ranges from 1 to 4094.
                3. In the Session timeout text box, enter the maximum amount of time, in seconds, after which a client is forced to reauthenticate. The value ranges from 1 to 65535 seconds.
                4. From the Access control list drop-down list, choose the access control list to be mapped to the policy.
                5. From the Ingress QoS drop-down list, choose the ingress QoS policy to be applied.
                6. From the Egress QoS drop-down list, choose the egress QoS policy to be applied.
                7. Click Apply to save the configuration.
                Step 4   Remove a service template as follows:
                1. From the Service Template page, select the service template.
                2. Click Remove.
                3. Click Apply to save the configuration.
                Related Concepts
                Information About Configuring Local Policies
                Related References
                Restrictions for Configuring Local Policies
                Monitoring Local Policies
                Examples: Local Policies Configuration

                Creating a Policy Map (GUI)

                  Step 1   Choose Configuration > Security > Local Policies > Policy Map to open the Policy Map page.
                  Step 2   Create a new policy map as follows:
                  1. Click New to open the Policy Map > New page.
                  2. In the Policy Map name text box, enter the new policy map name.
                  3. Click Add to open the Match Criteria area.
                  4. From the Device Type drop-down list, choose the device type. The match criteria for the device type can be eq, not-eq, or regex with respect to the device type you are choosing.
                  5. From the User Role drop-down list, select the match criteria as eq, not-eq, or regex and enter the user type or user group of the user, for example, student, teacher, and so on.
                  6. From the Service Template drop-down list, choose the service template to be mapped to the policy.
                  7. Click Add. The match criteria is added to the Match Criteria Lists.
                  8. In the Match Criteria Lists area, click Add to add the match criteria to the policy.
                  9. Click Apply to save the configuration.
                  Step 3   Edit a policy map as follows:
                  1. In the Policy Map page, select the policy map that you want to edit, and click Edit to open the Policy Map > Edit page.
                  2. In the Match Criteria area, choose the device type from the Device Type drop-down list. The match criteria for the device type can be eq, not-eq, or regex with respect to the device type you are choosing.
                  3. In the Match Criteria area, choose the user role from the User Role drop-down list. Select the match criteria as eq, not-eq, or regex and enter the user type or user group of the user
                  4. From the Service Template drop-down list, choose the service template to be mapped to the policy.
                  5. Click Ok to save the configuration or Cancel to discard the configuration.
                  6. Click Add to add more match criteria based on device type, user role, and service template to the policy.
                  7. In the Match Criteria Lists area, select the match criteria and click Move to to move the match criteria with respect to a value entered in the row text box.
                  8. Select the match criteria and click Move up to move the match criteria up in the list.
                  9. Select the match criteria and click Move down to move the match criteria down in the list.
                  10. Select the match criteria and click Remove to remove the match criteria from the policy map list.
                  11. Click Apply to save the configuration.
                  Step 4   Remove a policy map as follows:
                  1. From the Policy Map page, select the policy map.
                  2. Click Remove.
                  3. Click Apply to save the configuration.
                  Related Concepts
                  Information About Configuring Local Policies
                  Related References
                  Restrictions for Configuring Local Policies
                  Monitoring Local Policies
                  Examples: Local Policies Configuration

                  Applying Local Policies to WLAN (GUI)

                    Step 1   Choose Configuration > Wireless > WLAN to open the WLANs page.
                    Step 2   Click the corresponding WLAN profile. The WLANs > Edit page is displayed.
                    Step 3   Click the Policy-Mapping tab.
                    Step 4   Check the Device Classification check box to enable classification based on device type.
                    Step 5   From the Local Subscriber Policy drop-down list, choose the policy that has to be applied for the WLAN.
                    Step 6   Select Local HTTP Profiling to enable profiling on devices based on HTTP (optional).
                    Step 7   Select Radius HTTP Profiling to enable profiling on devices based on RADIUS (optional).
                    Step 8   Click Apply to save the configuration.
                    Related Concepts
                    Information About Configuring Local Policies
                    Related References
                    Restrictions for Configuring Local Policies
                    Monitoring Local Policies
                    Examples: Local Policies Configuration

                    Monitoring Local Policies

                    The following commands can be used to monitor local policies configured on the switch.

                    Table 1 Monitoring Local Policies Command

                    Command

                    Purpose

                    show access-session

                    Displays the summary of access session with authorization status, method and domain for each client or MAC address displayed.

                    show access-session cache

                    Displays the latest classification for the client.

                    show device classifier attached detail

                    Displays the latest classification for the client based on parameters such as Mac, DHCP, or HTTP.

                    show access-session mac mac-address details

                    Displays the policy mapped, service template used, and attributes for the client.

                    show access-session mac mac-address policy

                    Displays the policy mapped, service template used, and attributes for the client.

                    In addition, you can view the Resultant Policy that displays the following information:

                    • The final attributes applied to the session when the session has locally configured attributes.

                    • Attributes applied from the server.

                    Related Concepts
                    Information About Configuring Local Policies
                    Related Tasks
                    Creating a Parameter Map (CLI)
                    Creating a Class Map (CLI)
                    Creating a Policy Map (CLI)
                    Applying a Local Policy for a Device on a WLAN (CLI)
                    Creating an Interface Template (CLI)
                    Creating a Service Template (GUI)
                    Creating a Policy Map (GUI)
                    Applying Local Policies to WLAN (GUI)

                    Examples: Local Policies Configuration

                    This example shows how to create service template: 
                    Switch(config)# service-template test3
Switch(config-service-template)# access-group josephacl
Switch(config-service-template)# vlan 137
Switch(config-service-template)# absolute-timer 500
Switch(config-service-template)#  service-policy qos input qosingress
Switch(config-service-template)# end
                    This example shows how to create parameter map: 
                    Switch(config)# parameter-map type subscriber attribute-to-service apple-tsim-param
Switch(config-parameter-map)# 1 map device-type eq "Apple-Device"
Switch(config-parameter-map)# 1 service-template test1
Switch(config-parameter-map)# 2 map device-type eq "Apple-Ipad"
Switch(config-parameter-map)# 1 service-template test2
Switch(config-parameter-map)# 3 map device-type eq "Android"
Switch(config-parameter-map)# 1 service-template test3
Switch(config-parameter-map)# end

                    Note

                    At the end of each configuration command line, enter CTRL Z to execute the command and proceed to the next line.

                    This example shows how to create interface template: 
                    Switch# configure terminal
Switch(config)#template cisco-phone-template
Switch(config-template)#switchport mode access
Switch(config-template)#switchport voice vlan 20
Switch(config-template)# end

                    This example shows how to create parameter map: 
                    Switch# configure terminal
Switch(config)#parameter-map type subscriber attribute-to-service param-wired
Switch(config-parameter-map-filter)#10 map device-type regex Cisco-IP-Phone
Switch(config-parameter-map-filter-submode)#10 interface-template cisco-phone-template
Switch(config-parameter-map)# end

                    This example shows how to create policy map: 
                    Switch(config)# policy-map type control subscriber apple-tsim
Switch(config-policy-map)# event identity-update match-all
Switch(config-policy-map)# 1 class always do-until-failure
Switch(config-policy-map)# 1 map attribute-to-service table apple-tsim-param
Switch(config-policy-map)# end

                    This example shows how to apply policy to a device on a WLAN: 
                    Switch(config)# wlan wlan1
Switch(config-wlan)# client vlan VLAN0054
Switch(config-wlan)# profiling local http
Switch(config-wlan)# service-policy type control subscriber apple-tsim
Switch(config-wlan)# no shutdown
Switch# end
                    Related Concepts
                    Information About Configuring Local Policies
                    Related Tasks
                    Creating a Parameter Map (CLI)
                    Creating a Class Map (CLI)
                    Creating a Policy Map (CLI)
                    Applying a Local Policy for a Device on a WLAN (CLI)
                    Creating an Interface Template (CLI)
                    Creating a Service Template (GUI)
                    Creating a Policy Map (GUI)
                    Applying Local Policies to WLAN (GUI)

                    Additional References for Configuring Local Policies

                    Related Documents

                    Related Topic Document Title
                    Security commands

                    Security Command Reference Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

                    Standards and RFCs

                    Standard/RFC Title
                    None

                    MIBs

                    MIB MIBs Link
                    All supported MIBs for this release.

                    To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

                    http:/​/​www.cisco.com/​go/​mibs

                    Technical Assistance

                    Description Link

                    The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

                    To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

                    Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

                    http:/​/​www.cisco.com/​support

                    Feature History for Performing Local Policies Configuration

                    Release Feature Information

                    Cisco IOS XE 3E

                    		This feature was introduced.