Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC] How to restrict Roaming Areas for one or more users

0

0

Article ID: KB32110 KB Last Updated: 01 Feb 2018Version: 1.0
Summary:

A Mobility Profile is a way of specifying, on a per-user basis, those who are allowed access to specified WLA access ports and wired authentication ports on a WLC. Create a Mobility Profile first, assign the profile to one or more users, then enable the Mobility Profile feature on the WLC. To assign a Mobility Profile to a user or group, specify it as an authorization attribute in one of the following commands:

set user attr mobility-profile <profile-name>
set usergroup attr mobility-profile <profile-name>
set mac-user attr mobility-profile <profile-name>
set mac-user group attr mobility-profile <profile-name>


To enable the use of the Mobility Profile feature on the WLC switch, use the following command:

set mobility-profile mode <enable / Disable>

 

Solution:

The following commands create the Mobility Profile mangol, which restricts user access to port 1-2, enable the Mobility Profile feature on the WLC switch, and assign the mangol Mobility Profile to user test.

set service-profile d3y ssid-name d3y
set service-profile d3y rsn-ie cipher-ccmp enable
set service-profile d3y rsn-ie enable
set authentication dot1x ssid d3y ** peap-mschapv2 local
set user test password encrypted 0010161510
set user test attr mobility-profile mangol
set user test attr ssid d3y
set user test attr vlan-name default
set user test1 password encrypted 010703174f5a
set user test1 attr ssid d3y
set user test1 attr vlan-name default
set mobility-profile mode enable
set mobility-profile name mangol port 1,2 ap 9997
set ap auto mode enable
set ap 9996 serial-id 1172200220 model MP-422B
set ap 9996 radio 1 mode enable
set ap 9996 radio 2 mode enable
set ap 9997 serial-id jb0211511903 model WLA532-US
set ap 9997 radio 1 mode enable
set ap 9997 radio 2 mode enable
set ap 9998 serial-id 1172200226 model MP-422B
set ap 9998 radio 1 mode enable
set ap 9998 radio 2 mode enable
set ap 9999 serial-id 1172601145 model MP-422B
set ap 9999 radio 1 mode enable
set ap 9999 radio 2 mode enable
set vlan 1 port 1
set vlan 1 port 2
set interface 1 ip 10.9.221.240 255.255.255.0
 
In the example above, the mobility-profile named mangol was created and mapped to SSID name d3y.
Two users were created: test and test1.
User test is mapped to mobility-profile mongol.
As per mobility-profile configuration SSID d3y when trying to connect using AP9997 and UID, test1 should work.
When tested for output it worked as expected.
PRAD# sh mobility-profile
Mobility Profiles
Name                Ports
=========================
mangol
                    1
                    2
                 AP 9997
PRAD#
Show sessions
PRAD# sh sess
 
1 sessions total
 
User Name             SessID  Type  Address              VLAN              AP/Rdo
--------------------- ------  ----- -------------------- --------------    -------
test                      60* dot1x 10.9.221.224,V6      default             9997/2
Dis


Then disable AP 9997 and:

  • SSID d3y should not work with UID test.
  • The same SSID should work with UID test1.

Results with UID Test
PRAD# sh sess
 
0 of 0 sessions matched
PRAD# sh sess
 
0 of 0 sessions matched
 
 
Results with UID Test1
PRAD# sh sess
 
1 sessions total
 
User Name             SessID  Type  Address              VLAN              AP/Rdo
--------------------- ------  ----- -------------------- --------------    -------
test1                     79* dot1x 10.9.221.224,V6      default           9998/2

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search