Overview

Every device that connects to a port is associated with a role. Roles are associated with all clients, both authenticated and unauthenticated, and applied to each user session. By default, roles are enabled on a switch.

Following are a few examples of user role names and the access privileges that can be configured:

Employee—Provide complete access to network resources.
Contractor—Provide limited access to network resources.
Guest—Provide only Internet browsing access.

Each user role determines the client network privileges, frequency of reauthentication, applicable bandwidth contracts, and other permissions.

NOTE:

Active user roles applied on clients are created only on Ternary Content-Addressable Memory (TCAM) resource availability of the switch.

A user role consists of the following optional parameters:

Ingress user policy

L3 (IPv4 and/or IPv6) ordered list of classes with actions.
captive-portal-profile

Assigns a captive portal profile for this role.
inactivity-timeout

The inactivity timeout period in seconds with a range of 300 to 4294967295 for the authenticated client for an implicit logoff.
reauth-period

Sets the reauthentication period in seconds or 0 to disable.
vlan access

Sets the untagged VLAN ID.
vlan trunk

Sets the tagged VLAN ID.
auth-mode

Sets the configuration in user role to either device-mode or port-mode. The following are the attributes:
- poe-priority
  
  Specifies the PoE priority for the interface.
- mtu
  
  Configures the MTU support for the client.
- vlan trunk allowed
  
  Specifies the list of tagged VLANs configured for the interface.
- trust-mode
  
  Configures the QoS trust mode for the client.