Local user roles

Overview

Every client is associated with a user role. User roles associate a set of attributes for authenticated clients (clients with authentication configuration) and unauthenticated clients, applied to each user session. User roles must be enabled globally.


[NOTE: ]

NOTE: Local user roles are supported on the following platforms:

  • Aruba 2530 Switch Series (running YA software only)

  • Aruba 2620 Switch Series

  • Aruba 3800 Switch Series

  • Aruba 3810 Switch Series

  • Aruba 5400R Switch Series


Examples of user roles are:

  • Employee = All access

  • Contractor = Limited access to resources

  • Guest = Browse Internet

Each user role determines the client network privileges, frequency of reauthentication, applicable bandwidth contracts, and other permissions. There are a maximum of 32 administratively configurable user roles available with one predefined and read-only user role called denyall.

A user role consists of optional parameters such as:

  • Captive portal profile

    Specifies the URL via:

    • captive-portal profile

      , or

    • Vendor Specific Attribute (VSA). RADIUS: HP HP-Captive-Portal-URL = <http://...>

  • Ingress user policy

    L3 (IPv4 and/or IPv6) ordered list of Classes with actions, with an implicit deny all for IPv4 and IPv6.

  • Reauthentication period

    The time that the session is valid for. The default is 0 unless the user role is overridden. The default means that the reauthentication is disabled.


    [NOTE: ]

    NOTE: Reauthentication period is required to override the default of 0.


  • Untagged VLAN (either VLAN ID or VLAN-name)

    VLAN precedence order behavior:

    • If configured, untagged VLAN specified in the user role (VSA Derived Role, UDR, or Initial Role).

    • Statically configured untagged and/or tagged VLANs of the port the user is on.

Operational notes

  • When user roles are enabled, all users that are connecting on ports where authentication is configured will have a user role applied. User role application happens even if the user fails to authenticate. If the user cannot be authenticated, the “Initial Role” will be applied to that user.

  • The user role may be applied in one of two ways:

    • Vendor Specific Attribute (VSA)

      Type: RADIUS: Hewlett-Packard-Enterprise

      Name: HPE-User-Role

      ID: 25

      Value: <myUserRole>

      The RADIUS server (ClearPass Policy Manager) determines application of the VSA Derived Role. The role is sent to the switch via a RADIUS VSA. The VSA Derived Role will have the same precedence order as the authentication type (802.1x, WMA).

    • User Derived Role (UDR)

      The User Derived Role is part of Local MAC authentication (LMA) and is applied when user roles are enabled and LMA is configured.

      UDR will have the same precedence as LMA. Precedence behavior of the authentication types will be maintained, (802.1x -> LMA -> WMA (highest to lowest)).

Restrictions

  • User roles cannot be enabled when BYOD redirect, MAC authentication failure redirect, or enhanced web-based authentication are enabled.

  • Web-based authentication is not supported on the same port with other authentication methods when user roles are enabled.

  • show port-access <AUTH-TYPE> commands are not supported when user-roles are enabled. The command show port-access clients [detail] is the only way to see authenticated clients with their associated roles.

  • aaa port-access auth <port> control commands are not supported when user roles are enabled.

  • unauth-vid commands are not supported when user roles are enabled.

  • auth-vid commands are not supported when user roles are enabled.

Limitations for web-based authentication

Cannot be combined with other authentication types on same port.

Limitations for LMA

Reauthentication period and captive portal profile are not supported.

Error messages

Action Error message

Attempting to enable BYOD Redirect when user roles are enabled.

BYOD redirect cannot be enabled when user roles are enabled.

Attempting to enable MAFR when user roles are enabled.

MAC authentication failure redirect cannot be enabled when user roles are enabled.

Attempting to enable enhanced web-based authentication when user roles are enabled.

Enhanced web-based authentication cannot be enabled when user roles are enabled.

Attempting to enable web-based authentication when other authentication types are enabled for the same port, and user roles are enabled.

Web-based authentication cannot be enabled with other authentication types on this port when user roles are enabled.

Switch (config)# show port-access mac-based clients

User roles are enabled. Use show port-access clients to view client information.

Switch (config)# aaa port-access authenticator e8 control autho

802.1x control mode, Force Authorized/Unauthorized, cannot be set when user roles are enabled.

Attempting to enable local user role when MAFR, BYOD, or EWA are enabled.

User roles cannot be enabled when BYOD redirect, MAC authentication failure redirect, or enhanced web-based authentication are enabled.

Applicable Products 

Aruba 2530 Switch Series

JL070A, J9772A, J9773A, J9774A, J9775A, J9776A, J9777A, J9778A, J9779A, J9780A, J9781A, J9782A, J9783A, J9853A, J9854A, J9855A, J9856A

Aruba 2620 Switch Series

J9624A, J9625A, J9623A, J9627A, J9626A,

Aruba 2920 Switch Series

J9726A, J9727A, J9728A, J9729A, J9836A

Aruba 2930F Switch Series

JL253A, JL254A, JL255A, JL256A, JL259A, JL260A, JL261A, JL262A, JL263A, JL263A, JL264A

Aruba 3800 Switch Series

J9573A, J9574A, J9575A, J9576A, J9584A,

Aruba 3810M Switch Series

JL075A, JL071A, JL073A, JL076A, JL072A, JL074A

Aruba 5406R Switch

J9850A, JL002A, JL003A, JL095A, J9821A, J9850A

Aruba 5412R Switch

JL001A, J9822A, J9851A

HPE 3500 Switch Series

J9470A, J9471A, J8692A, J9310A, J9472A, J9473A, J8693A, J9311A

HPE 5406 v2zl Switch Series

J9866A, J8697AX, J9642A, J9533A, J9539A, J9447A, J8699A,

HPE 5412 zl Switch Series

J9643A, J9532A, J9540A, J9448A, J8700A, J9809A,

HPE E5406 zl Switch

J8697A

HPE E5412 zl Switch

J8698A