Every device that connects to a port is associated with a role. Roles are associated with all clients, both authenticated and unauthenticated, and applied to each user session. By default, roles are enabled on a switch.

Following are a few examples of user role names and the access privileges that can be configured:

  • Employee—Provide complete access to network resources.

  • Contractor—Provide limited access to network resources.

  • Guest—Provide only Internet browsing access.

Each user role determines the client network privileges, frequency of reauthentication, applicable bandwidth contracts, and other permissions.


Active user roles applied on clients are created only on Ternary Content-Addressable Memory (TCAM) resource availability of the switch.

A user role consists of the following optional parameters:

  • Ingress user policy

    L3 (IPv4 and/or IPv6) ordered list of classes with actions.

  • captive-portal-profile

    Assigns a captive portal profile for this role.

  • inactivity-timeout

    The inactivity timeout period in seconds with a range of 300 to 4294967295 for the authenticated client for an implicit logoff.

  • reauth-period

    Sets the reauthentication period in seconds or 0 to disable.

  • vlan access

    Sets the untagged VLAN ID.

  • vlan trunk

    Sets the tagged VLAN ID.

  • auth-mode

    Sets the configuration in user role to either device-mode or port-mode. The following are the attributes:

    • poe-priority

      Specifies the PoE priority for the interface.

    • mtu

      Configures the MTU support for the client.

    • vlan trunk allowed

      Specifies the list of tagged VLANs configured for the interface.

    • trust-mode

      Configures the QoS trust mode for the client.