Overview

Every client is associated with a user role. User roles associate a set of attributes for authenticated clients (clients with authentication configuration) and unauthenticated clients, applied to each user session. User roles must be enabled globally.

Examples of user roles are:

  • Employee = All access

  • Contractor = Limited access to resources

  • Guest = Browse Internet

Each user role determines the client network privileges, frequency of reauthentication, applicable bandwidth contracts, and other permissions. There are a maximum of 32 administratively configurable user roles available with one predefined and read-only user role called denyall.

A user role consists of optional parameters such as:

  • Captive portal profileSpecifies the URL via:
    • captive-portal profile

      or

    • Vendor Specific Attribute (VSA). RADIUS: HPEHPE-Captive-Portal-URL = <http://...>

  • Ingress user policy

    L3 (IPv4 and/or IPv6) ordered list of Classes with actions, with an implicit deny all for IPv4 and IPv6.

  • Reauthentication period

    The time that the session is valid for. The default is 0 unless the user role is overridden. The default means that the reauthentication is disabled.
    NOTE:

    Reauthentication period is required to override the default of 0.

  • Untagged VLAN (either VLAN ID or VLAN-name)

    VLAN precedence order behavior:
    • If configured, untagged VLAN specified in the user role (VSA Derived Role, UDR, or Initial Role).

    • Statically configured untagged and/or tagged VLANs of the port the user is on.

Operational notes

  • When user roles are enabled, all users that are connecting on ports where authentication is configured will have a user role applied. User role application happens even if the user fails to authenticate. If the user cannot be authenticated, the "Initial Role" will be applied to that user.

  • The user role may be applied in one of two ways:
    • Vendor Specific Attribute (VSA)

      Type: RADIUS: Hewlett-Packard-Enterprise

      Name: HPE-User-Role

      ID: 25

      Value: <myUserRole>

      The RADIUS server (ClearPass Policy Manager) determines application of the VSA Derived Role. The role is sent to the switch via a RADIUS VSA. The VSA Derived Role will have the same precedence order as the authentication type (802.1x, WMA).

    • User Derived Role (UDR

      )The User Derived Role is part of Local MAC authentication (LMA) and is applied when user roles are enabled and LMA is configured.

      UDR will have the same precedence as LMA. Precedence behavior of the authentication types will be maintained, (802.1x -> LMA -> WMA (highest to lowest)).

Restrictions

  • User roles cannot be enabled when BYOD redirect, MAC authentication failure redirect, or enhanced web-based authentication are enabled.

  • Web-based authentication is not supported on the same port with other authentication methods when user roles are enabled.

  • show port-access <AUTH-TYPE> commands are not supported when user-roles are enabled. The command show port-access clients [detail] is the only way to see authenticated clients with their associated roles.

  • aaa port-access auth <port> control commands are not supported when user roles are enabled.

  • unauth-vid commands are not supported when user roles are enabled.

  • auth-vid commands are not supported when user roles are enabled.

Limitations for web-based authentication

Cannot be combined with other authentication types on same port.

Limitations for LMA

Reauthentication period and captive portal profile are not supported.

Error messages

Action

Error message

Attempting to enable BYOD Redirect when user roles are enabled.

BYOD redirect cannot be enabled when user roles are enabled.

Attempting to enable MAFR when user roles are enabled.

MAC authentication failure redirect cannot be enabled when user roles are enabled.

Attempting to enable enhanced web-based authentication when user roles are enabled.

Enhanced web-based authentication cannot be enabled when user roles are enabled.

Attempting to enable web-based authentication when other authentication types are enabled for the same port, and user roles are enabled.

Web-based authentication cannot be enabled with other authentication types on this port when user roles are enabled.

switch (config)# show port-access mac-based clients

User roles are enabled. Use show port-access clients to view client information.

switch (config)# aaa port-access authenticator e8 control autho

802.1x control mode, Force Authorized/Unauthorized, cannot be set when user roles are enabled.

Attempting to enable local user role when MAFR, BYOD, or EWA are enabled.

User roles cannot be enabled when BYOD redirect, MAC authentication failure redirect, or enhanced web-based authentication are enabled.