Port access role

Every device that connects to a port is associated with a role. Roles are associated with all clients, both authenticated and unauthenticated, and applied to each user session. By default, roles are enabled on a switch.

Following are a few examples of user role names and the access privileges that can be configured:

  • Employee—Provide complete access to network resources.
  • Contractor—Provide limited access to network resources.
  • Guest—Provide only Internet browsing access.

Each user role determines the client network privileges, frequency of reauthentication, applicable bandwidth contracts, and other permissions.

Active user roles applied on clients are created only on Ternary Content-Addressable Memory (TCAM) resource availability of the switch.

A user role consists of the following optional parameters:

  • Ingress user policy
  • L3 (IPv4 and/or IPv6) ordered list of classes with actions.

  • captive-portal-profile
  • Assigns a captive portal profile for this role.

  • inactivity-timeout

    The inactivity timeout period in seconds with a range of 300 to 4294967295 for the authenticated client for an implicit logoff.

  • reauth-period
  • Sets the reauthentication period in seconds or 0 to disable.

  • vlan access
  • Sets the untagged VLAN ID.

  • vlan trunk
  • Sets the tagged VLAN ID.

  • auth-mode

    Sets the configuration in user role to either device-mode or port-mode. The following are the attributes:

    • poe-priority
    • Specifies the PoE priority for the interface.

    • mtu
    • Configures the MTU support for the client.

    • vlan trunk allowed
    • Specifies the list of tagged VLANs configured for the interface.

    • trust-mode
    • Configures the QoS trust mode for the client.