Overview

Every client is associated with a user role. User roles associate a set of attributes for authenticated clients (clients with authentication configuration) and unauthenticated clients, applied to each user session. User roles must be enabled globally.

Examples of user roles are:

  • Employee = All access

  • Contractor = Limited access to resources. Each user role determines the client network privileges, frequency of reauthentication, applicable bandwidth contracts, and other permissions.

  • Guest = Browse Internet

. There are a maximum of 512 administratively configurable local user roles available with one predefined and read-only user role called denyall.

NOTE:

Active user roles applied on clients are created only on TCAM resource availability of the Switch.

A user role consists of optional parameters such as:

  • Ingress user policy

    L3 (IPv4 and/or IPv6) ordered list of classes with actions, with an implicit deny all for IPv4 and IPv6.

  • captive-portal-profile

    Assigns a captive portal profile for this role.

  • logoff-period

    The inactivity period in seconds with either 0 or 60-9999999 for the authenticated client for an implicit logoff.

  • policy

    Sets a user policy for the role.

  • reauth-period

    Sets the reauthentication period in seconds or 0 to disable.

  • cached-reauth-period

    Specifies the time in seconds when cached reauthentication is allowed on the port.

  • tunneled-node-server

    Configures traffic redirect to user-based tunnel.

  • vlan-id

    Sets the untagged VLAN ID.

  • vlan-id-tagged

    Sets the tagged VLAN ID.

  • vlan-name

    Sets the untagged VLAN name.

  • vlan-name-tagged

    Sets the tagged VLAN name.

  • device

    Sets the device-specific configuration in user role. The following are the device attributes:

    • admin-edge-port

      Configures the device administrative edge port status for the clients port.

    • poe-allocate-by-class

      Configures the power allocation method based on the device classification.

    • poe-priority

      Sets the priority for per-port power distribution.

    • port-mode

      Configures the client port mode.

Operational notes

  • When the user roles are enabled, the user role is applied for all the users connected to ports where authentication is configured. User role application happens even if the user fails to authenticate. If the user cannot be authenticated, the "Initial Role" will be applied to that user.

  • The user role may be applied in one of two ways:
    • Vendor-Specific Attribute (VSA)

      Type: RADIUS: Hewlett-Packard-Enterprise

      Name: HPE-User-Role

      ID: 25

      Value: <myUserRole>

      The RADIUS server (ClearPass Policy Manager) determines application of the VSA Derived Role. The role is sent to the switch through a RADIUS VSA. The VSA Derived Role will have the same precedence order as the authentication type (802.1x, WMA).

    • User Derived Role (UDR

      The User Derived Role is a part of Local MAC authentication (LMA) and is applied when the user roles are enabled and LMA is configured.

      UDR will have the same precedence as LMA. Precedence behavior of the authentication types will be maintained, (802.1x -> LMA -> WMA (highest to lowest)).

Restrictions

  • User roles cannot be enabled when BYOD redirect, MAC authentication failure redirect, or enhanced web-based authentication are enabled.

  • Web-based authentication is not supported on the same port with other authentication methods when user roles are enabled.

  • show port-access <AUTH-TYPE> commands are not supported when user-roles are enabled. The command show port-access clients [detail] is the only way to see authenticated clients with their associated roles.

  • aaa port-access auth <port> control commands are not supported when user roles are enabled.

  • unauth-vid commands are not supported when user roles are enabled.

  • auth-vid commands are not supported when user roles are enabled.

  • If the local configuration exceeds 32 user roles entries, the firmware downgrade to lower version is not allowed.

Limitations for web-based authentication

Cannot be combined with other authentication types on same port.

Limitations for LMA

Reauthentication period and captive portal profile are not supported.

Error messages

Action

Error message

Attempting to enable BYOD Redirect when user roles are enabled.

BYOD redirect cannot be enabled when user roles are enabled.

Attempting to enable MAFR when user roles are enabled.

MAC authentication failure redirect cannot be enabled when user roles are enabled.

Attempting to enable enhanced web-based authentication when user roles are enabled.

Enhanced web-based authentication cannot be enabled when user roles are enabled.

Attempting to enable web-based authentication when other authentication types are enabled for the same port and user roles.

Web-based authentication cannot be enabled with other authentication types on this port when user roles are enabled.

switch (config)# show port-access mac-based clients

User roles are enabled. Use show port-access clients to view client information.

switch (config)# aaa port-access authenticator e8 control autho

802.1x control mode, Force Authorized/Unauthorized, cannot be set when user roles are enabled.

Attempting to enable local user role when MAFR, BYOD, or EWA are enabled.

User roles cannot be enabled when BYOD redirect, MAC authentication failure redirect, or enhanced web-based authentication are enabled.

Downgrade with more than 32 local user role entries.

Firmware downgrade is not allowed when configured local user role entries are more than 32. Delete user roles manually to continue the downgrade.