aaa authorization user-role

Syntax

aaa authorization user-role [enable | disable| [initial-role <ROLE-STR>] |[name <ROLE>]]

Description

Configure user roles. A user role determines the client network privileges, the frequency of reauthentication, and applicable bandwidth contracts along with other permissions. Every client is associated with a user role or the client is blocked from access to the network.

Parameters

enable

Enable authorization using user roles.

disable

Disable authorization using user roles.

initial-role

The default initial role "denyall" is used when no other role applies. If a client connects to the switch and lacks a user role associated, then the initial role is used. Any role can be configured as initial role using this option. Initial role can be configured at per-port level. The per port initial role takes priority over global initial role.

The initial role may be assigned if:

  • captive-portal profile is configured with a web address, but the Captive Portal VSA is sent from RADIUS.

  • captive-portal profile is configured to use the RADIUS VSA but no Captive Portal VSA is sent.

  • captive-portal feature is disabled when the captive-portal profile is referenced in the applied user role to the client.

  • The user role feature is enabled with RADIUS authentication, but no user role VSA is returned.

  • User role does not exist.

  • Not enough TCAM resource available.

  • Access-Reject from RADIUS.

  • User role VSA is sent along with invalid attributes.

  • RADIUS not reachable.

  • VLAN configured on the user role does not exist.

  • Captive Portal profile does not exist.

  • User policy configured on the user role does not exist.

  • Reauthentication period is enabled (nonzero) in the user role for LMA.

  • Captive Portal profile is included in the user role for LMA.

  • Logoff period is not supported.

critical-role

Critical role is disabled by default. If the critical role is enabled and the client is unable to connect the switch and the RADIUS server, then the client moves to critical role. Any role can be configured as critical role. Critical role can be configured at per-port level.

name <NAME-STR>

Create or modify a user-role. Role name identifies a user-role. When adding a user-role, a new context will be created. The context prompt will be named "user-role" (user-role)#.

Usage

switch# aaa authorization user-role enable
switch# aaa authorization user-role disable
switch# aaa authorization user-role name <ROLE1>
switch# no aaa authorization user-role enable
switch# no aaa authorization user-role name <ROLE1>
switch# aaa authorization user-role initial-role <ROLE1>
switch# aaa authorization user-role name <MYUSERROLE> policy <MYUSERPOLICY>
switch# aaa authorization user-role name <MYUSERROLE> captive-portal-profile <MYCAPTPORTPROFILE>
switch# aaa authorization user-role name <MYUSERROLE> vlan-id <VID>
switch# aaa authorization user-role name <MYUSERROLE> reauth-period <0-999999999>