Overview

Every client is associated with a user role. User roles associate a set of attributes for authenticated clients (clients with authentication configuration) and unauthenticated clients, applied to each user session. User roles must be enabled globally.

Examples of user roles are:

• Employee = All access

• Contractor = Limited access to resources. Each user role determines the client network privileges, frequency of reauthentication, applicable bandwidth contracts, and other permissions.

• Guest = Browse Internet

. There are a maximum of 512 administratively configurable local user roles available with one predefined and read-only user role called denyall.

A user role consists of optional parameters such as:

• Ingress user policy

  L3 (IPv4 and/or IPv6) ordered list of classes with actions, with an implicit deny all for IPv4 and IPv6.

• captive-portal-profile

  Assigns a captive portal profile for this role.

• logoff-period

  The inactivity period in seconds with either 0 or 60-9999999 for the authenticated client for an implicit logoff.

• policy

  Sets a user policy for the role.

• reauth-period

  Sets the reauthentication period in seconds or 0 to disable.

• cached-reauth-period

  Specifies the time in seconds when cached reauthentication is allowed on the port.

• tunneled-node-server

  Configures traffic redirect to user-based tunnel.

• vlan-id

  Sets the untagged VLAN ID.

• vlan-id-tagged

  Sets the tagged VLAN ID.

• vlan-name

  Sets the untagged VLAN name.

• vlan-name-tagged

  Sets the tagged VLAN name.

Operational notes

• When the user roles are enabled, the user role is applied for all the users connected to ports where authentication is configured. User role application happens even if the user fails to authenticate. If the user cannot be authenticated, the "Initial Role" will be applied to that user.

• The user role may be applied in one of two ways:

  • Vendor-Specific Attribute (VSA)

    Type: RADIUS: Hewlett-Packard-Enterprise

    Name: HPE-User-Role

    ID: 25

    Value: <myUserRole>

    The RADIUS server (ClearPass Policy Manager) determines application of the VSA Derived Role. The role is sent to the switch through a RADIUS VSA. The VSA Derived Role will have the same precedence order as the authentication type (802.1x, WMA).

  • User Derived Role (UDR)

    The User Derived Role is a part of Local MAC authentication (LMA) and is applied when the user roles are enabled and LMA is configured.

    UDR will have the same precedence as LMA. Precedence behavior of the authentication types will be maintained, (802.1x -> LMA -> WMA (highest to lowest)).

Restrictions

• User roles cannot be enabled when BYOD redirect, MAC authentication failure redirect, or enhanced web-based authentication are enabled.

• Web-based authentication is not supported on the same port with other authentication methods when user roles are enabled.

• show port-access <AUTH-TYPE> commands are not supported when user-roles are enabled. The command show port-access clients [detail] is the only way to see authenticated clients with their associated roles.

• aaa port-access auth <port> control commands are not supported when user roles are enabled.

• unauth-vid commands are not supported when user roles are enabled.

• auth-vid commands are not supported when user roles are enabled.

• If the local configuration exceeds 32 user roles entries, the firmware downgrade to lower version is not allowed.

Limitations for web-based authentication

Cannot be combined with other authentication types on same port.

Limitations for LMA

Reauthentication period and captive portal profile are not supported.

Error messages