◦ If configured, untagged VLAN specified in the user role (VSA Derived Role, UDR, or Initial Role).
◦ Statically configured untagged and/or tagged VLANs of the port the user is on.
Operational notes
• When user roles are enabled, all users that are connecting on ports where authentication is configured will
have a user role applied. User role application happens even if the user fails to authenticate. If the user cannot
be authenticated, the “Initial Role” will be applied to that user.
• The user role may be applied in one of two ways:
◦ Vendor Specific Attribute (VSA)
Type: RADIUS: Hewlett-Packard-Enterprise
Name: HPE-User-Role
ID: 25
Value: <myUserRole>
The RADIUS server (ClearPass Policy Manager) determines application of the VSA Derived Role. The role
is sent to the switch via a RADIUS VSA. The VSA Derived Role will have the same precedence order as
the authentication type (802.1x, WMA).
◦ User Derived Role (UDR
)The User Derived Role is part of Local MAC authentication (LMA) and is applied when user roles are
enabled and LMA is configured.
UDR will have the same precedence as LMA. Precedence behavior of the authentication types will be
maintained, (802.1x -> LMA -> WMA (highest to lowest)).
Restrictions
• User roles cannot be enabled when BYOD redirect, MAC authentication failure redirect, or enhanced web-
based authentication are enabled.
• Web-based authentication is not supported on the same port with other authentication methods when user
roles are enabled.
• show port-access <AUTH-TYPE> commands are not supported when user-roles are enabled. The
command show port-access clients [detail] is the only way to see authenticated clients with their
associated roles.
• aaa port-access auth <port> control commands are not supported when user roles are enabled.
• unauth-vid commands are not supported when user roles are enabled.
• auth-vid commands are not supported when user roles are enabled.
Limitations for web-based authentication
Cannot be combined with other authentication types on same port.
Limitations for LMA
Reauthentication period and captive portal profile are not supported.
Chapter 23 Local user roles 437
To Next Page
Loading...
