Configuring ACL-based Login Control for the VTY User Interface of APs

Context

You can use the ACL to restrict login permissions on the VTY user interface. Before configuring restrictions on login permissions on the VTY user interface, run the acl command in the system view to create an ACL and enter the ACL view, and run the rule command to add rules for accessing the ACL.

The user interface supports basic ACLs (2000-2999) and advanced ACLs (3000-3999).

ACL rule:

When permit is used in the ACL rule:
- If the ACL is applied in the inbound direction, other devices that match the ACL rule can access the local device.
- If the ACL is applied in the outbound direction, the local device can access other devices that match the ACL rule.
When deny is used in the ACL rule:
- If the ACL is applied in the inbound direction, other devices that match the ACL rule cannot access the local device.
- If the ACL is applied in the outbound direction, the local device cannot access other devices that match the ACL rule.
When the ACL rule is configured but packets from other devices do not match the rule:
- If the ACL is applied in the inbound direction, other devices cannot access the local device.
- If the ACL is applied in the outbound direction, the local device cannot access other devices.
When the ACL contains no rule:
- If the ACL is applied in the inbound direction, any other devices can access the local device.
- If the ACL is applied in the outbound direction, the local device can access any other devices.

For details on how to configure the ACL, see "ACL Configuration" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security.

Procedure

Run system-view
The system view is displayed.
Run wlan
The WLAN view is displayed.
Run ap-system-profile name profile-name
An AP system profile is created, and the AP system profile view is displayed.

By default, the system provides the AP system profile default.
Run user-interface vty ui-number acl acl-number { inbound | outbound }
ACL restrictions on VTY login permissions are configured.

By default, login rights are not restricted.
- To restrict users at a specified address or address segment from logging in to the device, use the inbound parameter.
- To restrict users who have log in to a device from logging in to other devices, use the outbound parameter.
Run quit
Return to the WLAN view.
Bind an AP system profile to an AP group or AP.
- Binding an AP system profile to an AP group.
  1. Run the ap-group name group-name command to enter the AP group view.
  2. Run the ap-system-profile profile-name command to bind the AP system profile to the AP group.
    
    By default, the AP system profile default is bound to an AP group.
- Binding an AP system profile to an AP.
  1. Run the ap-id ap-id, ap-mac ap-mac, or ap-name ap-name command to enter the AP view.
  2. Run the ap-system-profile profile-name command to bind the AP system profile to the AP.
    
    By default, no AP system profile is bound to an AP.