Configuration manual
136 | Configuration Reference Dell PowerConnect W-AirWave 7.4 | Configuration Guide
2. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a
user-derived role). You can configure rules that assign a user role to clients that match a certain set of criteria.
For example, you can configure a rule to assign the role “VoIP-Phone” to any client that has a MAC address
that starts with bytes xx:yy:zz. User-derivation rules are executed before client authentication.
3. The user role can be the default user role configured for an authentication method, such as 802.1x or VPN.
For each authentication method, you can configure a default role for clients who are successfully
authenticated using that method.
4. The user role can be derived from attributes returned by the authentication server and certain client attributes
(this is known as a server-derived role). If the client is authenticated via an authentication server, the user role
for the client can be based on one or more attributes returned by the server during authentication, or on client
attributes such as SSID (even if the attribute is not returned by the server). Server-derivation rules are
executed after client authentication.
5. The user role can be derived from Dell PowerConnect Vendor-Specific Attributes (VSA) for RADIUS server
authentication. A role derived from a Dell PowerConnect VSA takes precedence over any other user roles.
In the Dell PowerConnect W user-centric network, the user role of a wireless client determines its privileges,
including the priority that every type of traffic to or from the client receives in the wireless network. Thus, QoS
for voice applications is configured when you configure firewall roles and policies.
You can configure roles for clients that use mostly data traffic, such as laptop computers, and roles for clients that
use mostly voice traffic, such as VoIP phones. Although there are different ways for a client to derive a user role, in
most cases the clients using data traffic will be assigned a role after they are authenticated through a method such
as 802.1x, VPN, or captive portal. The user role for VoIP phones can be derived from the OUI of their MAC
addresses or the SSID to which they associate. This user role will typically be configured to have access allowed
only for the voice protocol being used (for example, SIP or SVP).
This page displays the current user roles in Dell PowerConnect W Configuration and where they are used. This
page contains the columns described in Table 65:
NOTE: You must install the Policy Enforcement Firewall license in the controller.
Table 65 Security > User Roles Page Contents
Column Description
Name Name of the user role.
AAA Displays the AAA profile or profiles that are referenced by the user role. Refer to “Profiles > AAA”
on page 49.
Captive Portal Profile Displays the Captive Portal Auth profiles, if any, that are referenced by the user role. Refer to
“Profiles > AAA > Captive Portal Auth” on page 57.
802.1X Auth Displays the 802.1X Auth profiles that are referenced by the user role. Refer to “Profiles > AAA >
Advanced Authentication” on page 56.
Stateful 802.1X Auth Displays the Stateful 802.1X Auth profiles that are referenced by the user role. Refer to “Profiles >
AAA > Stateful 802.1X Auth” on page 65.
VPN Auth Displays the VPN Auth profiles that are referenced by the user role. Refer to “Profiles > AAA >
Combined VPN Auth” on page 66.
Folder Displays the folder that is associated with this User Role. A Top viewable folder for the role is able
to view all devices and groups contained by the top folder. The top folder and its subfolders must
contain all of the devices in any of the groups it can view.
Clicking any folder name takes you to the APs/Devices > List page for folder inventory and
configuration.