[WLC] How to restrict Roaming Areas for one or more users

A Mobility Profile is a way of specifying, on a per-user basis, those who are allowed access to specified WLA access ports and wired authentication ports on a WLC. Create a Mobility Profile first, assign the profile to one or more users, then enable the Mobility Profile feature on the WLC. To assign a Mobility Profile to a user or group, specify it as an authorization attribute in one of the following commands:

set user attr mobility-profile <profile-name>

set usergroup attr mobility-profile <profile-name>

set mac-user attr mobility-profile <profile-name>

set mac-user group attr mobility-profile <profile-name>

To enable the use of the Mobility Profile feature on the WLC switch, use the following command:

set mobility-profile mode <enable / Disable>

The following commands create the Mobility Profile mangol, which restricts user access to port 1-2, enable the Mobility Profile feature on the WLC switch, and assign the mangol Mobility Profile to user test.

set service-profile d3y ssid-name d3y
set service-profile d3y rsn-ie cipher-ccmp enable
set service-profile d3y rsn-ie enable
set authentication dot1x ssid d3y ** peap-mschapv2 local
set user test password encrypted 0010161510
set user test attr mobility-profile mangol
set user test attr ssid d3y
set user test attr vlan-name default
set user test1 password encrypted 010703174f5a
set user test1 attr ssid d3y
set user test1 attr vlan-name default
set mobility-profile mode enable
set mobility-profile name mangol port 1,2 ap 9997
set ap auto mode enable
set ap 9996 serial-id 1172200220 model MP-422B
set ap 9996 radio 1 mode enable
set ap 9996 radio 2 mode enable
set ap 9997 serial-id jb0211511903 model WLA532-US
set ap 9997 radio 1 mode enable
set ap 9997 radio 2 mode enable
set ap 9998 serial-id 1172200226 model MP-422B
set ap 9998 radio 1 mode enable
set ap 9998 radio 2 mode enable
set ap 9999 serial-id 1172601145 model MP-422B
set ap 9999 radio 1 mode enable
set ap 9999 radio 2 mode enable
set vlan 1 port 1
set vlan 1 port 2
set interface 1 ip 10.9.221.240 255.255.255.0

In the example above, the mobility-profile named mangol was created and mapped to SSID name d3y.
Two users were created: test and test1.
User test is mapped to mobility-profile mongol.
As per mobility-profile configuration SSID d3y when trying to connect using AP9997 and UID, test1 should work.
When tested for output it worked as expected.

PRAD# sh mobility-profile
Mobility Profiles
Name                Ports
=========================
mangol
                    1
                    2
                 AP 9997
PRAD#
Show sessions
PRAD# sh sess
 
1 sessions total
 
User Name             SessID  Type  Address              VLAN              AP/Rdo
--------------------- ------  ----- -------------------- --------------    -------
test                      60* dot1x 10.9.221.224,V6      default             9997/2
Dis

Then disable AP 9997 and:

SSID d3y should not work with UID test.
The same SSID should work with UID test1.

Results with UID Test

PRAD# sh sess
 
0 of 0 sessions matched
PRAD# sh sess
 
0 of 0 sessions matched
 
 
Results with UID Test1
PRAD# sh sess
 
1 sessions total
 
User Name             SessID  Type  Address              VLAN              AP/Rdo
--------------------- ------  ----- -------------------- --------------    -------
test1                     79* dot1x 10.9.221.224,V6      default           9998/2

Knowledge Base