User's Manual
In the CLI
(host)(config) #user-role web-guest
access-list session web-only position 1
Assigning User Roles
A client is assigned a user role by one of several methods. A role assigned by one method may take precedence
over one assigned by a different method. The methods of assigning user roles are, from lowest to highest
precedence:
1. The initial user role or VLAN for unauthenticated clients is configured in the AAA profile for a virtual AP (see
Access Points (APs) on page 485).
2. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a
user-derived role). You can configure rules that assign a user role to clients that match a certain set of
criteria. For example, you can configure a rule to assign the role VoIP-Phone to any client that has a MAC
address that starts with bytes xx:yy:zz.User-derivation rules are executed before client authentication.
3. The user role can be the default user role configured for an authentication method, such as 802.1x or VPN.
For each authentication method, you can configure a default role for clients who are successfully
authenticated using that method.
4. The user role can be derived from attributes returned by the authentication server and certain client
attributes (this is known as a server-derived role). If the client is authenticated via an authentication server,
the user role for the client can be based on one or more attributes returned by the server during
authentication, or on client attributes such as SSID (even if the attribute is not returned by the server).
Server-derivation rules are executed after client authentication.
5. The user role can be derived from Dell Vendor-Specific Attributes (VSA) for RADIUS server authentication. A
role derived from a Dell VSA takes precedence over any other user roles.
The following sections describe the methods of assigning user roles.
Assigning User Roles in AAA Profiles
An AAA profile defines the user role for unauthenticated clients (initial role) as well as the default user role for
MAC and 802.1x authentication. To configure user roles in the AAA profile:
In the WebUI
1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.
2. Select the default profile or a user-defined AAA profile.
3. Click the Initial Role drop-down list, and select the desired user role for unauthenticated users.
4. Click the 802.1x Authentication Default Role drop-down list and select the desired user role for users
who have completed 802.1x authentication.
5. Click the MAC Authentication Default Role drop-down list and select the desired user role for clients
who have completed MAC authentication.
6. Click Apply.
In the CLI
(host)(config) #aaa profile <profile>
initial-role <role>
dot1x-default-role <role>
mac-default-role <role>
For additional information on creating AAA profiles, see WLAN Authentication on page 421.
Dell Networking W-Series ArubaOS 6.4.x | User Guide Roles and Policies | 372