WxLAN/Policies define a list of rules, restrictions, and other settings, that can be applied to devices in order to change how they are treated by the network.
Configuring policy has been simplified on the Mist dashboard. Let’s look into the steps
1. The first step is to create labels. Creating labels can be done for both Users and Resources for which you want to add policy for. This can be done by clicking on ‘Network’ on the left-hand navigation bar, then select ‘Labels.’
2. Here you have the option to either select an existing label or add a new label by clicking on the “Add Label” button on the far top right of the page.
3. Once you have selected an existing label or clicked on the “Add Label” button, it takes you to the Labels page. Where you can name the label, choose a label type and set label values.
As said earlier, labels can be set for Users and Resources as well. User labels typically select the following Label Types – AAA attribute, WiFi Client, WLAN, and Access Point. While Resources labels typically select the following label types – IP Address, Hostname or application.
4. Once you selected your criteria for the labels, click on “Create” to create the label.
You can also define a label for IP/Protocol/Port. In this label entry, you can enter the specific IP addresses of your client, the Protocol (ICMP, TCP, UDP, Other), and the port or range of ports being used. This can be used by WxLAN to filter out clients matching the combination of IP/Protocol/Port as defined by your label.
5. Labels can also be tagged to clients. This can be done by clicking ‘Clients’ in the left-hand navigation, then ‘WiFi Clients’ and clicking on the client. Then click on “+” under Labels to add labels to specific clients. Click on save to save the setting.
6. To create a Network policy, navigate to ‘Network’ in the left-hand navigation, then ‘Policy’ to open the WxLAN page.
7. Here you can add rules or policy by clicking on the “Add Rule” tab.
8. You can add the labels you have created earlier under the Users and Resources sections by clicking on “+” under each of the sections.
9. The Resource labels can be set to either allowed or denied by clicking on the appropriate label.
10. Click on “Save” to save the setting.
Note: The policy engine, goes through the policies in sequence and applies the policy that exactly matches the client.
1) ALL labels on the left side of policy must match for the rule to be considered.
2) The first rule (moving down sequentially) that matches will execute. The others won’t be considered.
Attached below are list of scenarios and how the Mist policy engine process them.