Local user roles |
Overview
Every client is associated with a user role. User roles associate a set of attributes for authenticated clients (clients with authentication configuration) and unauthenticated clients, applied to each user session. User roles must be enabled globally.
NOTE: Local user roles are supported on the following platforms:
| |
Examples of user roles are:
Employee = All access
Contractor = Limited access to resources
Guest = Browse Internet
Each user role determines the client network privileges, frequency of reauthentication, applicable bandwidth contracts, and other permissions. There are a maximum of 32 administratively configurable user roles available with one predefined and read-only user role called denyall.
A user role consists of optional parameters such as:
Captive portal profile
Specifies the URL via:
captive-portal profile
, or
Vendor Specific Attribute (VSA). RADIUS: HP HP-Captive-Portal-URL = <http://...>
Ingress user policy
L3 (IPv4 and/or IPv6) ordered list of Classes with actions, with an implicit deny all for IPv4 and IPv6.
Reauthentication period
The time that the session is valid for. The default is 0 unless the user role is overridden. The default means that the reauthentication is disabled.
NOTE: Reauthentication period is required to override the default of 0.
Untagged VLAN (either VLAN ID or VLAN-name)
VLAN precedence order behavior:
If configured, untagged VLAN specified in the user role (VSA Derived Role, UDR, or Initial Role).
Statically configured untagged and/or tagged VLANs of the port the user is on.
Operational notes
When user roles are enabled, all users that are connecting on ports where authentication is configured will have a user role applied. User role application happens even if the user fails to authenticate. If the user cannot be authenticated, the “Initial Role” will be applied to that user.
The user role may be applied in one of two ways:
Vendor Specific Attribute (VSA)
Type: RADIUS: Hewlett-Packard-Enterprise
Name: HPE-User-Role
ID: 25
Value: <myUserRole>
The RADIUS server (ClearPass Policy Manager) determines application of the VSA Derived Role. The role is sent to the switch via a RADIUS VSA. The VSA Derived Role will have the same precedence order as the authentication type (802.1x, WMA).
User Derived Role (UDR)
The User Derived Role is part of Local MAC authentication (LMA) and is applied when user roles are enabled and LMA is configured.
UDR will have the same precedence as LMA. Precedence behavior of the authentication types will be maintained, (802.1x -> LMA -> WMA (highest to lowest)).
Restrictions
User roles cannot be enabled when BYOD redirect, MAC authentication failure redirect, or enhanced web-based authentication are enabled.
Web-based authentication is not supported on the same port with other authentication methods when user roles are enabled.
show port-access
commands are not supported when user-roles are enabled. The command<AUTH-TYPE>
show port-access clients [detail]
is the only way to see authenticated clients with their associated roles.aaa port-access auth <port> control
commands are not supported when user roles are enabled.unauth-vid
commands are not supported when user roles are enabled.auth-vid
commands are not supported when user roles are enabled.
Limitations for web-based authentication
Cannot be combined with other authentication types on same port.
Limitations for LMA
Reauthentication period and captive portal profile are not supported.
Error messages
Action | Error message |
---|---|
Attempting to enable BYOD Redirect when user roles are enabled. |
BYOD redirect cannot be enabled when user roles are enabled. |
Attempting to enable MAFR when user roles are enabled. |
MAC authentication failure redirect cannot be enabled when user roles are enabled. |
Attempting to enable enhanced web-based authentication when user roles are enabled. |
Enhanced web-based authentication cannot be enabled when user roles are enabled. |
Attempting to enable web-based authentication when other authentication types are enabled for the same port, and user roles are enabled. |
Web-based authentication cannot be enabled with other authentication types on this port when user roles are enabled. |
Switch (config)# show port-access mac-based clients |
User roles are enabled. Use |
Switch (config)# aaa port-access authenticator e8 control autho |
802.1x control mode, Force Authorized/Unauthorized, cannot be set when user roles are enabled. |
Attempting to enable local user role when MAFR, BYOD, or EWA are enabled. |
User roles cannot be enabled when BYOD redirect, MAC authentication failure redirect, or enhanced web-based authentication are enabled. |
Applicable Products
Aruba 2530 Switch Series |
JL070A, J9772A, J9773A, J9774A, J9775A, J9776A, J9777A, J9778A, J9779A, J9780A, J9781A, J9782A, J9783A, J9853A, J9854A, J9855A, J9856A |
Aruba 2620 Switch Series |
J9624A, J9625A, J9623A, J9627A, J9626A, |
Aruba 2920 Switch Series |
J9726A, J9727A, J9728A, J9729A, J9836A |
Aruba 2930F Switch Series |
JL253A, JL254A, JL255A, JL256A, JL259A, JL260A, JL261A, JL262A, JL263A, JL263A, JL264A |
Aruba 3800 Switch Series |
J9573A, J9574A, J9575A, J9576A, J9584A, |
Aruba 3810M Switch Series |
JL075A, JL071A, JL073A, JL076A, JL072A, JL074A |
Aruba 5406R Switch |
J9850A, JL002A, JL003A, JL095A, J9821A, J9850A |
Aruba 5412R Switch |
JL001A, J9822A, J9851A |
HPE 3500 Switch Series |
J9470A, J9471A, J8692A, J9310A, J9472A, J9473A, J8693A, J9311A |
HPE 5406 v2zl Switch Series |
J9866A, J8697AX, J9642A, J9533A, J9539A, J9447A, J8699A, |
HPE 5412 zl Switch Series |
J9643A, J9532A, J9540A, J9448A, J8700A, J9809A, |
HPE E5406 zl Switch |
J8697A |
HPE E5412 zl Switch |
J8698A |