A Mobility Profile is a way of specifying, on a per-user basis, those who are allowed access to specified WLA access ports and wired authentication ports on a WLC. Create a Mobility Profile first, assign the profile to one or more users, then enable the Mobility Profile feature on the WLC. To assign a Mobility Profile to a user or group, specify it as an authorization attribute in one of the following commands:
set user attr mobility-profile <profile-name>
set usergroup attr mobility-profile <profile-name>
set mac-user attr mobility-profile <profile-name>
set mac-user group attr mobility-profile <profile-name>
To enable the use of the Mobility Profile feature on the WLC switch, use the following command:
set mobility-profile mode <enable / Disable>
The following commands create the Mobility Profile mangol, which restricts user access to port 1-2, enable the Mobility Profile feature on the WLC switch, and assign the mangol Mobility Profile to user test.
set service-profile d3y ssid-name d3y
set service-profile d3y rsn-ie cipher-ccmp enable
set service-profile d3y rsn-ie enable
set authentication dot1x ssid d3y ** peap-mschapv2 local
set user test password encrypted 0010161510
set user test attr mobility-profile mangol
set user test attr ssid d3y
set user test attr vlan-name default
set user test1 password encrypted 010703174f5a
set user test1 attr ssid d3y
set user test1 attr vlan-name default
set mobility-profile mode enable
set mobility-profile name mangol port 1,2 ap 9997
set ap auto mode enable
set ap 9996 serial-id 1172200220 model MP-422B
set ap 9996 radio 1 mode enable
set ap 9996 radio 2 mode enable
set ap 9997 serial-id jb0211511903 model WLA532-US
set ap 9997 radio 1 mode enable
set ap 9997 radio 2 mode enable
set ap 9998 serial-id 1172200226 model MP-422B
set ap 9998 radio 1 mode enable
set ap 9998 radio 2 mode enable
set ap 9999 serial-id 1172601145 model MP-422B
set ap 9999 radio 1 mode enable
set ap 9999 radio 2 mode enable
set vlan 1 port 1
set vlan 1 port 2
set interface 1 ip 10.9.221.240 255.255.255.0
In the example above, the mobility-profile named
mangol was created and mapped to SSID name
d3y.
Two users were created:
test and
test1.
User
test is mapped to mobility-profile
mongol.
As per mobility-profile configuration SSID
d3y when trying to connect using
AP9997 and UID,
test1 should work.
When tested for output it worked as expected.
PRAD# sh mobility-profile
Mobility Profiles
Name Ports
=========================
mangol
1
2
AP 9997
PRAD#
Show sessions
PRAD# sh sess
1 sessions total
User Name SessID Type Address VLAN AP/Rdo
--------------------- ------ ----- -------------------- -------------- -------
test 60* dot1x 10.9.221.224,V6 default 9997/2
Dis
Then disable AP 9997 and:
- SSID d3y should not work with UID test.
- The same SSID should work with UID test1.
Results with UID Test
PRAD# sh sess
0 of 0 sessions matched
PRAD# sh sess
0 of 0 sessions matched
Results with UID Test1
PRAD# sh sess
1 sessions total
User Name SessID Type Address VLAN AP/Rdo
--------------------- ------ ----- -------------------- -------------- -------
test1 79* dot1x 10.9.221.224,V6 default 9998/2