In the CLI
The commands to associate an access control list (ACL) to a user role vary, depending upon the type of access
control list being associated to that role. User roles are applied globally across all switches, so ethertype, MAC
and session ACLs can be applied to global user roles. However, routing access lists may vary between locations,
so they are mapped to a user role in a local configuration setting.
To associate the user role with an ethertype, MAC or session ACL, use the command user-role <role> access-
list
eth
|mac|
s
es
s
ion
<acl>
. To associate a user role with a routing ACL, use the routing-policy-mapcommand.
Assigning User Roles
A client is assigned a user role by one of several methods. A role assigned by one method may take precedence
over one assigned by a different method. The methods of assigning user roles are, from lowest to highest
precedence:
1. The initial user role or VLAN for unauthenticated clients is configured in the AAA profile for a virtual AP (see
Access Points on page 509).
2. The user role can be derived from user attributes upon the client’s association with an AP (this is known as a
user-derived role). You can configure rules that assign a user role to clients that match a certain set of
criteria. For example, you can configure a rule to assign the role VoIP-Phone to any client that has a MAC
address that starts with bytes xx:yy:zz.User-derivation rules are executed before client authentication.
3. The user role can be the default user role configured for an authentication method, such as 802.1X or VPN.
For each authentication method, you can configure a default role for clients who are successfully
authenticated using that method.
4. The user role can be derived from attributes returned by the authentication server and certain client
attributes (this is known as a server-derived role). If the client is authenticated via an authentication server,
the user role for the client can be based on one or more attributes returned by the server during
authentication, or on client attributes such as SSID (even if the attribute is not returned by the server).
Server-derivation rules are executed after client authentication.
5. The user role can be derived from Alcatel-Lucent Vendor-Specific Attributes (VSA) for RADIUS server
authentication. A role derived from an Alcatel-Lucent VSA takes precedence over any other user roles.
The following sections describe the methods of assigning user roles.
Assigning User Roles in AAA Profiles
An AAA profile defines the user role for unauthenticated clients (initial role) as well as the default user role for
MAC and 802.1X authentication. For additional information on creating AAA profiles, see WLAN Authentication
on page 438.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.
2. Select the default profile or a user-defined AAA profile.
3. Click the Initial Role drop-down list, and select the desired user role for unauthenticated users.
4. Click the 802.1X Authentication Default Role drop-down list and select the desired user role for users
who have completed 802.1X authentication.
5. Click the MAC Authentication Default Role drop-down list and select the desired user role for clients
who have completed MAC authentication.
6. Click Apply.
AOS-W 6.5.3.x | User Guide Roles and Policies | 387
To Next Page
Loading...