201 | Roles and Policies Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
Configuring Machine and User Authentication Roles
You can assign different rights to clients based on whether their hardware device supports machine
authentication. Machine authentication is only supported on Windows devices, so that this can be used to
distinguish between Windows devices and other devices such as iPads.
You can create any of the following types of rules:
l Machine Auth only role—This indicates a Windows machine with no user logged in. The device supports
machine authentication and has a valid RADIUS account, but a user has not yet logged in and
authenticated.
l User Auth only role—This indicates a known user or a non-Windows device. The device does not support
machine authentication or does not have a RADIUS account, but the user is logged in and authenticated.
When a device does both machine and user authentication, the user obtains the default role or the derived role
based on the RADIUS attribute.
You can configure machine authentication with role-based access control using the Instant UI or the CLI.
In the Instant UI
To configure machine authentication with role-based access control:
1. In the Access tab of the WLAN wizard (New WLAN or Edit <WLAN-profile>) or in the wired profile
configuration window (New Wired Network or Edit Wired Network), under Roles, create Machine
auth only and User auth only roles.
2. Configure access rules for these roles by selecting the role, and applying the rule. For more information
on configuring access rules, see Configuring ACL Rules for Network Services on page 182.
3. Select Enforce Machine Authentication and select the Machine auth only and User auth only
roles.
4. Click Finish to apply these changes.
In the CLI
To configure machine and user authentication roles for a WLAN SSID:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# set-role-machine-auth <machine_only> <user_only>
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To configure machine and user authentication roles for a wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# set-role-machine-auth <machine_only> <user_only>
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply
Configuring Derivation Rules
Instant allows you to configure role and VLAN derivation-rules. You can configure these rules to assign a user
role or a VLAN to the clients connecting to an SSID or a wired profile.
Understanding Role Assignment Rule
When an SSID or a wired profile is created, a default role for the clients connecting to this SSID or wired profile
is assigned. You can assign a user role to the clients connecting to an SSID by any of the following methods.
The role assigned by some methods may take precedence over the roles assigned by the other methods.
To Next Page
Loading...
Need help?
General
