Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

WxLAN Access Policies

SUMMARY Create WxLAN access control policies to specify who can and can't access resources on your network. After you add these policies to your site or WLAN template, users who connect through the specified WLANs are subject to these rules. Read this topic to learn about the requirements and options so that you can create WxLAN access policies for your use cases.

Introduction

Use access policies for a variety of use cases:

  • Network segmentation
  • Role based policies
  • Micro-segmentation
  • Least privilege

To get started with policies, you'll first create labels to group and identify users and resources. When you create a policy, you'll match users to the resources that they can or cannot access. The following example shows how easy it is to set up your rules. As shown here, you define users on the left and the resources on the right. Color coding shows which resources are blocked (red) or allowed (green).

Figure 1: Example WxLAN Access Policy Example WxLAN Access Policy

Watch this video to explore a simple use case. Here, the policy allows a user to access the Internet, a printer, and a television on the network, but no other resources.

Welcome to Mist WxLAN demo. This is about user-centric access control. Mist is about connecting devices and users to things and the Internet. In this case we'll show you my MacBook Air which has a default route of 10.2 1.1 on a network with printers and Apple TV type devices. So here's my MacBook Aire. You could see I could on the left I'm pinging the default gateway and I'm also pinging the Internet via Google. Create a label label is going to be called the Internet and what I'm going to do is define it as not our corporate network and not our guest network. So there's the corporate there's the guest and there we have a label.

Now the policy. I'm going to add a new rule and say this rule applies to guest users, in this case that's just me but could be a group of users and let's see what the network is already found. It's a couple found a couple printers so I'm going to get access to this HP printer. I'm going to get access to this Apple TV wannabe device and I'm also going to get access to you see down there there's the label for the internet. I'm going to click then not. So you'll see as this rule is applied immediately I do not have access to my default gateway as it's on my network but I could see the internet. We disabled I command I go back to having full access so let's re-enable it and this is our Guest configuration.

Site-Level and Organization-Level Policies

When you create an access policy in your WLAN template, it is only applicable to the WLANs specified in that template. Any user who connects through one of these WLANs is first evaluated for the policies in the template. If user does not satisfy any of these rule, then the user is evaluated for site-level policies.

  • Organization-level policies (in a WLAN template)—Select Organization>Wireless | WLAN Templates, and then select the template that you want to add the policy to. Scroll down to the Policy section.

  • Site-level policies—Select Site > Wireless | Policy to open the Policy page.

Labels

You'll create labels to categorize users, groups of users, resources, and groups of resources. You can create labels at the site level or the organization level. Then you'll refer to these labels in your policies.

For help, see Labels and Using Labels in a WxLAN Policy.

How Policy Rules Are Processed

  • The various sets of rules are read from top to bottom in the policy.
  • Each rule in a set of rules is read left to right.
  • If any policy is applied then for any connecting user, it starts reading from the first rule whether that client satisfies all the user labels or not.
  • It keeps reading each rule top to bottom until it finds a rule where all user labels are satisfied for that user.
  • It then checks which resources are allowed or blocked for this type of user.
  • For each rule, operator is set to allow but resources can either be allowed or denied.
  • At the bottom of a site-level policy, there is a final default row that is setup for all users and all resources. It can be either blocked or allowed. Any user not falling under any of the policy rules will fall under this row and either all resources will be allowed or blocked for this user based on applied operation.
  • If a rule consists of only allow resource, then only that resource is allowed for the user and everything else is denied.
  • If a rule consists of only deny resource, then only that resource is denied for the user and everything else is allowed.
  • If a rule consists of few allow and few deny resources, then only allowed resources is allowed while everything else is denied.
  • Resources on the right side are displayed alphabetically and applied most specific in the event of overlapping resources. If multiple labels are created for the same host and applied as resources in the same rule, it is suggested to use the ip/port/protocol label type

Create a User Access Policy

Before you begin: If you don't already have user and resource labels for the organization, you need to create them. For more information, see Create Labels for a WLAN Access Policy.

To create a WLAN access policy:

  1. Navigate to the site-level or template-level policies:
    • Organization-level policies (in a WLAN template)—Select Organization>Wireless | WLAN Templates, and then select the template that you want to add the policy to. Scroll down to the Policy section.

    • Site-level policies—Select Site > Wireless | Policy to open the Policy page.

  2. Click Add Rule to expose the rule line.
  3. Click the add icon (+) in the User column and select a user label from the list that appears.
  4. In the Policy column, click the check mark icon (), and then select the action you want to enforce: Allow or Block.
  5. Click the add icon (+) in the Resources column and select one or more predefined applications from the list. You can also define a new resource if you prefer, and these will appear at the top of the list.

    In this example, you see a policy with multiple rules and rules with multiple resources.

  6. When finished creating and ordering the policy, click Save at the top of the screen.