AirWave Wireless Management Suite | Configuration Guide Aruba Configuration Reference | 141
Security > User Roles
A client is assigned a user role by one of several methods. A user role assigned by one method may take
precedence over a user role assigned by a different method. The methods of assigning user roles are, from
lowest to highest precedence:
1. The initial user role for unauthenticated clients is configured in the AAA profile for a virtual AP.
2. The user role can be derived from user attributes upon the client’s association with an AP (this is known
as a user-derived role). You can configure rules that assign a user role to clients that match a certain set
of criteria. For example, you can configure a rule to assign the role “VoIP-Phone” to any client that has a
MAC address that starts with bytes xx:yy:zz. User-derivation rules are executed before client
authentication.
3. The user role can be the default user role configured for an authentication method, such as 802.1x or
VPN. For each authentication method, you can configure a default role for clients who are successfully
authenticated using that method.
4. The user role can be derived from attributes returned by the authentication server and certain client
attributes (this is known as a server-derived role). If the client is authenticated via an authentication
server, the user role for the client can be based on one or more attributes returned by the server during
authentication, or on client attributes such as SSID (even if the attribute is not returned by the server).
Server-derivation rules are executed after client authentication.
5. The user role can be derived from Aruba Vendor-Specific Attributes (VSA) for RADIUS server
authentication. A role derived from an Aruba VSA takes precedence over any other user roles.
In the Aruba user-centric network, the user role of a wireless client determines its privileges, including the
priority that every type of traffic to or from the client receives in the wireless network. Thus, QoS for voice
applications is configured when you configure firewall roles and policies.
In an Aruba system, you can configure roles for clients that use mostly data traffic, such as laptop computers,
and roles for clients that use mostly voice traffic, such as VoIP phones. Although there are different ways for a
client to derive a user role, in most cases the clients using data traffic will be assigned a role after they are
authenticated through a method such as 802.1x, VPN, or captive portal. The user role for VoIP phones can be
derived from the OUI of their MAC addresses or the SSID to which they associate. This user role will typically
be configured to have access allowed only for the voice protocol being used (for example, SIP or SVP).
You must install the Policy Enforcement Firewall license in the controller.
This page displays the current user roles in Aruba Configuration and where they are used. This page
contains the columns described in Table 55:
Table 55 Security > User Roles Page Contents
Column Description
Name Name of the user role.
AAA Displays the AAA profile or profiles that are referenced by the user role. For additional
information, refer to “Profiles > AAA” on page68.
Captive Portal Auth Displays the Captive Portal Auth profiles, if any, that are referenced by the user role. For
additional information, refer to “Profiles > AAA > Captive Portal Auth” on page69.
802.1X Auth Displays the 802.1X Auth profiles that are referenced by the user role. For additional
information, refer to “Profiles > AAA > 802.1x Auth” on page75.
Stateful 802.1X Auth Displays the Stateful 802.1X Auth profiles that are referenced by the user role. For
additional information, refer to “Profiles > AAA > Stateful 802.1X Auth” on page72.
VPN Auth Displays the VPN Auth profiles that are referenced by the user role. For additional
information, refer to “Profiles > AAA > VPN Auth” on page73.
To Next Page
Loading...
