Creating User Roles

 

This section describes how to create a new user role. When you create a user role, you specify one or more policies for the role.

Table 1 describes the different parameters you can configure for the user role.

 

Table 1: User Role Parameters

Field

Description

Firewall Policies (required)

One or more policies that define the privileges of a wireless client in this role. There are three ways to add a firewall policy to a user role:

Choose from configured policies (see Creating a Firewall Policy): Select a policy from the list of configured policies and click the “Done” button to add the policy to the list of policies in the user role. If this policy is to be applied to this user role only for specific AP groups, you can specify the applicable AP group.
Create a new policy from a configured policy: This option can be used to create a new policy that is derived from an existing policy.
Create a new policy: The rules for the policy can be added as explained in Creating a Firewall Policy.

Re-authentication Interval (optional)

Time, in minutes, after which the client is required to reauthenticate. Enter a value between 0-4096. 0 disables reauthentication.

Default: 0 (disabled)

Role VLAN ID (optional)

By default, a client is assigned a VLAN on the basis of the ingress VLAN for the client to the controller. You can override this assignment and configure the VLAN ID that is to be assigned to the user role. You configure a VLAN by navigating to the Configuration > Network > VLANs page.

Bandwidth Contract (optional)

You can assign a bandwidth contract to provide an upper limit to upstream or downstream bandwidth utilized by clients in this role. You can select the Per User option to apply the bandwidth contracts on a per-user basis instead of to all clients in the role.

For more information, see Bandwidth Contracts.

VPN Dialer (optional)

This assigns a VPN dialer to a user role. For details about VPN dialer, see Virtual Private Networks.

Select a dialer from the drop-down list and assign it to the user role. This dialer will be available for download when a client logs in using captive portal and is assigned this role.

L2TP Pool (optional)

This assigns an L2TP pool to the user role. For more details about L2TP pools, see Virtual Private Networks.

Select the required L2TP pool from the list to assign to the user role. The inner IP addresses of VPN tunnels using L2TP will be assigned from this pool of IP addresses for clients in this user role.

PPTP Pool (optional)

This assigns a PPTP pool to the user role. For more details about PPTP pools, see Virtual Private Networks.

Select the required PPTP pool from the list to assign to the user role. The inner IP addresses of VPN tunnels using PPTP will be assigned from this pool of IP addresses for clients in this user role.

Captive Portal Profile (optional)

This assigns a Captive Portal profile to this role. For more details about Captive Portal profiles, see Captive Portal Authentication.

Max Sessions

This parameter configures the maximum number of sessions per user in this role. If the sessions reach the maximum value, any additional sessions from this user that are reaching the threshold are blocked till the session usage count for the user falls back below the configured limit.

The default is 65535. You can configure any value between 0-65535.

Creating a User Role

The following example creates the user role ‘web-guest’ and assigns the previously-configured ‘web-only’ policy to this user role.

In the WebUI

1. Navigate to the Configuration > Security > Access Control > User Roles page.
2. Click Add to create and configure a new user role.
3. Enter web-guest for Role Name.
4. Under Firewall Policies, click Add. From Choose from Configured Policies, select the ‘web-only’ session policy from the list. You can click Create to create and configure a new policy.
5. Click Done to add the policy to the user role.

 

If there are multiple policies for this role, policies can be re-ordered by the using the up and down buttons provided for each policy.

6. You can optionally enter configuration values as described in Table 1.
7. Click Apply to apply this configuration. The role is not created until the configuration is applied.

After assigning the user role (see Assigning User Roles), you can click the Show Reference button to see the profiles that reference this user role.

To a delete a user role in the WebUI:

1. Navigate to the Configuration > Security > Access Control > User Roles page.
2. Click the Delete button against the role you want to delete.

 

You cannot delete a user-role that is referenced to profile or server derived role. Deleting a server referenced role will result in an error. Remove all references to the role and then perform the delete operation.

In the CLI

(host)(config) #user-role web-guest

access-list session web-only position 1

After assigning the user role (see Assigning User Roles), you can use the show reference user-role <role> command to see the profiles that reference this user role.

Bandwidth Contracts

You can manage bandwidth utilization by assigning maximum bandwidth rates, or bandwidthcontracts, to user roles or ap-group. You can configure bandwidth contracts, in kilobits per second (Kbps) or megabits per second (Mbps), for the following types of traffic:

from the client to the controller (“upstream” traffic)
from the controller to the client (“downstream” traffic)

You can assign different bandwidth contracts to upstream and downstream traffic for the same user role. You can also assign a bandwidth contract for only upstream or only downstream traffic for a user role; if there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed.

By default, all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic. You can optionally apply a bandwidth contract on a per-user or per-ap-group basis; each user who belongs to the role is allowed the configured bandwidth rate.

For example, if clients are connected to the controller through a DSL line, you may want to restrict the upstream bandwidth rate allowed for each user to 128 Kbps. Or, you can limit the total downstream bandwidth used by all users in the ‘guest’ role to 128 Mbps. The following example configures a bandwidth rate of 128 Kbps and applies it to upstream traffic for the previously-configured ‘web-guest’ user role on a per-user basis.

Configuring a Bandwidth Contract in the WebUI

In the WebUI, you can first configure a bandwidth contract and then assign it to a user role:

1. Navigate to the Configuration > Advanced Services > Stateful Firewall > BW Contracts page.
2. Click Add to create a new contract.
3. In the Contract Name field, enter BC512_up.
4. The Bandwidth field allows you to define a bandwidth rate in either kbps or Mbps. For this example, enter 512 in the Bandwidth field, then click the drop-down list and select kbps.
5. Click Done.

Assigning a Bandwidth Contract to a User Role in the WebUI

Now that you have a defined bandwidth contract, you can assign that contract to a user role.

1. Navigate to the Configuration > Security > Access Control > User Roles page.
2. Select Edit for the web-guest user role.
3. Under Bandwidth Contract, select BC512_up from the drop-down menu for Upstream.
4. Select Per User.
5. Scroll to the bottom of the page, and click Apply.

You can also can configure the user role and create the bandwidth contract from the User Roles page:

1. Navigate to the Configuration > Security > Access Control > User Roles page.
2. Select Edit for the web-guest user role.
3. In the Bandwidth Contract section, click the Upstream drop-down list and select Add New. The New Bandwidth Contract fields appear.
a. In the Name field, enter BC512_up.
b. In the Bandwidth field, enter 512.
c. Click the Bandwidth drop-down list and select kbps.
d. Click Done to add the new contract and assign it to the role. The New Bandwidth Contract section closes.
4. In the Bandwidth Contract section, select the Per User checkbox.
5. Scroll to the bottom of the page, and click Apply.

Configuring and Assigning Bandwidth Contracts in the CLI

(host)(config) #aaa bandwidth-contract BC512_up kbps 512

user-role web-guest

   bw-contract BC512_up per-user upstream

Bandwidth Contract Exceptions

Bandwidth contracts on a VLAN can limit broadcast and multicast traffic. ArubaOS includes an internal exception list to allow broadcast and multicast traffic using the VRRP, LACP, OSPF, PVST and STP protocols. To remove per-vlan bandwidth contract limits on an additional broadcast or multicast protocol, add the MAC address for that broadcast/multicast protocol to the Vlan Bandwidth Contracts MAC Exception List.

Viewing the Current Exceptions List

To view the current bandwidth contract exception list, access the command-line interface in enable mode and issue the command show vlan-bwcontract-explist. To view the preconfigured internal bandwidth contract exception list, include the optional internal parameter, as shown in the example below:

Click to view a larger size.

Configuring Bandwidth Contract Exceptions

To add the MAC address of a protocol to the exception list for bandwidth contracts, access the command-line interface in config mode and issue the command vlan-bwcontract-explist <mac-addr>.

The following example adds the MAC address for CDP (Cisco Discovery Protocol) and VTP (Virtual Trunking Protocol to the list of protocols that are not limited by VLAN bandwidth contracts.

(host)(config) #vlan-bwcontract-explist mac 01:00:0C:CC:CC:CC