User role configuration
aaa authorization user-role
Syntax
aaa authorization user-role [enable | disable| [initial-role<ROLE-STR>] |[name<ROLE>]]
Description
Configure user roles. A user role determines the client network privileges, the frequency of reauthentication, applicable bandwidth contracts, along with other permissions. Every client is associated with a user role or the client is blocked from access to the network.
Options
enable | Enable authorization using user roles. |
disable | Disable authorization using user roles. |
initial-role | The default initial role “denyall” is used when no other role applies. If a client connects to the switch and does not have a user role associated, then the initial role is used. Any role can be configured as initial role using this option. The initial role may be assigned if:
|
name | Create or modify a user-role. Role name identifies a user-role. When adding a user-role, a new context will be created. The context prompt will be named “user-role” (user-role)#. |
Usage
Switch# aaa authorization user-role enable
Switch# aaa authorization user-role disable
Switch# aaa authorization user-role name <ROLE1>Switch# [no] aaa authorization user-role enable
Switch# [no] aaa authorization user-role name <ROLE1>Switch# aaa authorization user-role initial-role <ROLE1>Switch# aaa authorization user-role name<MYUSERROLE>policy<MYUSERPOLICY>
Switch# aaa authorization user-role name<MYUSERROLE>captive-portal-profile<MYCAPTPORTPROFILE>
Switch# aaa authorization user-role name<MYUSERROLE>vlan-id<VID>
Switch# aaa authorization user-role name<MYUSERROLE>reauth-period<0-999999999>
Error log
| Scenario | Error Message |
|---|---|
| If the user tries to delete a user-role configured as the initial role | User
role <INITIAL_ROLE_NAME> is configured
as the initial role and cannot be deleted. |
| If the user attempts to configure more than the number of administrator configured roles | #aaa authorization user-role name roleNumber33 .
No more user roles can be created. |
| If the user enters a role name that is too long | Switch# aaa authorization
user-role test342....jflkdsjflk. The name must be fewer
than 64 characters long. |
| If the user enters a role name with invalid syntax | Switch# aaa authorization
user-role name “this is an invalid name” Invalid character
' ' in name. |
| If the user tries to delete a nonexisting user-role | User role <NON_EXISTING_ROLE_NAME> not
found. |
Switch# aaa authorization user-role
name |
User
role <DENYALL> is read only and cannot
be modified. |
captive-portal-profile
From within the user-role context:
Syntax
captive-portal-profile <PROFILE_NAME>Description
Assigns a captive portal profile to the user role. The predefined
captive portal profile, use-radius-vsa, indicates
that the redirect web address must be sent via RADIUS.
To clear a captive portal profile from the user role, use the [no] version of the command.
policy
From within the user-role context:
Syntax
policy <POLICY_NAME>Description
Assigns a user policy to the user role. To clear a policy from the user role, use the [no] version of the command.
![[NOTE: ]](images/note.gif) | NOTE: Modification of the user policy, or class contained in a user policy, will force users consuming that user policy via a user role to be deauthenticated. |
reauth-period
From within the user-role context:
Syntax
reauth-period <VALUE>Description
Set the reauthentication period for the user role. Use [0] to disable reauthentication. For RADIUS-based authentication methods, it will override the RADIUS session timeout. It also overrides any port-based reauth-period configuration with the exception that LMA does not support a reauth-period.
Options
<VALUE> | Valid values are 0 – 999,999,999; a required configuration in user roles and it defaults to 0. |
(user-role)# reauth-period 100
Set the reauthentication value for the current user role:
(user-role)# reauth-period 100
(user-role)# reauth-period 0
0 is used to disable reauthentication, and it is the default value.
(user-role)# reauth-period 0
Validation rules
| Validation | Error/Warning/Prompt |
|---|---|
(user-role)# reauth-period 10000000 |
Invalid input: 100000000000000000 |
VLAN commands
| NOTE: The VLAN must be configured on the switch at the time the user role is applied. Only one of VLAN-name or VLAN-ID is allowed for any user role. |
| NOTE: Modification of the VLAN will force users assigned to that VLAN via a user role to be deauthenticated. |
vlan-id
From within the user-role context:
Subcommand syntax
vlan-id <VLAN-ID>Description
Assign an untagged VLAN to the user role using VLAN-ID.
Use the [no] version of the command when
clearing the VLAN-ID from the user role:
Usage
(user-role)# no vlan-id
vlan-name
From within the user-role context:
Subcommand syntax
vlan-name <VLAN-NAME>Description
Assign an untagged VLAN to the user role using VLAN name. Only one of VLAN-name or VLAN-ID is allowed for any user role.
Use the [no] version of the command when
clearing the VLAN from the user role, by name:
Usage
(user-role)# no vlan-name