You are here: Home > CLI Commands > Just_CLI_Topics > user-role

user-role

user-role <name>

access-list {eth|mac|session} <acl> [ap-group <group>] [position <number>]

bw-contract

appShort form for application. It generally refers to the application that is downloaded and used on mobile devices. <appname> <bw-contract_name> {downstream|upstream}

appcategory <appcategory-name> <bw-contract_name> {downstream|upstream}

exclude {app|appcategory}

web-cc-category <web-cc-category-name> <bw-contract_name> {downstream|upstream}

web-cc-reputation {high-risk|low-risk|moderate-risk|suspicious|trustworthy} <bw-contract_name> {downstream|upstream}

<bw-contract-name> [per-user|per-apgroup]{downstream|upstream}

captive-portal {<STRING>|check-for-accounting}

dialer <name>

dpi

max-sessions <number>

no ...

openflow-enable

pool {l2tp|pptp} <name>

qos-profile <profile>

reauthentication-interval [<minutes>|<seconds>]

registration-role

sso <profile>

stateful-kerberos <profile>

stateful-ntlm <ntlm_profile_name>

via <profile>

vlan {VLAN ID|VLAN name}

web-cc disable

wispr <wispr_profile_name>

Description

This command configures a user role.

Syntax

Parameter

Description

Range

Default

<name>

Role name

access-list

Type of ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to be applied:

eth: Ethertype ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port., configured with the ip access-list eth command.

mac: MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port., configured with the ip access-list mac command.

session: Session ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port., configured with the ip access-list session command.

<acl>

Name of the configured ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port..

ap-group

(Optional) AP group to which this ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. applies.

position

(Optional) Position of this ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. relative to other ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. that you can configure for the user role. 1 is the top.

(last)

bandwidth- contract

Name of a bandwidth contract or rate limiting policy configured with the aaa bandwidth-contract command. The bandwidth contract must be applied to either downstream or upstream traffic.

app

Name of the application bandwidth contract configured for the user role. The bandwidth contract must be applied to either downstream or upstream traffic.

NOTE: For a complete list of supported applications, issue the command show dpi application all.

appcategory

Name of the application category bandwidth contract configured for the user role. The bandwidth contract must be applied to either downstream or upstream traffic.

NOTE: For a complete list of supported applications, issue the command show dpi application category all.

web-cc-category|web-cc-reputation <cc-name> <bwc-name>

Apply a bandwidth conract to the specified web content category or reputation level. Bandwidth contracts can be applied to user-defined web content categories created using the web-cc command. The five web content reputation levels are predefined in ArubaOS.

NOTE: bandwidth contracts applied to a web content category or reputation will not be enforced unless web content classification is enabled using the firewall web-content-classification command.

Available reputation categories are:

high-risk

low-risk

moderate-risk

suspicious

trustworthy

exclude
app|appcategory

Excludes an application or application category from being configured as a bandwidth contract.

downstream

Applies the bandwidth contract to traffic from the controller to the client.

per-user

Specifies that bandwidth contract is assigned on a per-user basis instead of a per-role basis. For example, if two users are active on the network and both are part of the same role with a 500 KbpsKilobits per second. bandwidth contract, then each user is able to use up to 500 KbpsKilobits per second..

(per role)

upstream

Applies the bandwidth contract to traffic from the client to the controller.

captive-portal <STRING>

Name of the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile configured with the aaa authentication captive-portal command.

check-for-accounting

If disabled, RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting is done for an authenticated users irrespective of the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile in the role of an authenticated user. If enabled, accounting is not done as long as the user's role has a captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile on it. Accounting will start when Auth/XMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.-Add/CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. changes the role of an authenticated user to a role which doesn't have captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile.

enabled

dialer

If VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. is used as an access method, name of the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. dialer configured with the vpn-dialer command. The user can login using captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. and download the dialer. The dialer is a Windows application that configures the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client.

dpi

Role specific DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. configuration.

disable

Disable role specific DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. configuration.

max-sessions

Maximum number of datapath sessions per user in this role.

0-65535

65535

no

Negates any configured parameter.

openflow-enable

Enables SDNSoftware-Defined Networking. SDN is an umbrella term encompassing several kinds of network technology aimed at making the network as agile and flexible as the virtualized server and storage infrastructure of the modern data center. for the user role.

disabled

pool

If VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. is used as an access method, specifies the IP address pool from which the user’s IP address is assigned:

l2tp: When a user negotiates an L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. or IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. session, specifies an address pool configured with the ip local pool command.

pptp: When a user negotiates a PPTPPoint-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. session, specifies an address pool configured with the pptp ip local pool command.

<name>

Name of the L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. or PPTPPoint-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. pool to be applied.

qos-profile Applies a QOS profile to the user role.

reauthentica
tion-interval

Interval, in minutes or seconds, after which the client is required to reauthenticate.

0-4096 in minutes

0-245760 in seconds

0(disabled)

registration-role

If enabled, a user is forced to do MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. -based authentication every time the user connects to the network.

disabled

sso

Applies an SSOSingle Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts. profile to the user role.

statefule-kerberos

Applies a stateful Kerberos profile to the user role.

stateful-ntlm

Apply stateful NTLM authentication to the specified user role

 

 

via

Applies a VIAVirtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network. connection profile to the user role.

vlan

Identifies the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. name to which the user role is mapped. This parameters works only when using Layer-2 authentication such as 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. or MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, ESSIDExtended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set., or encryption type role mapping because these authentications occur before an IP address is assigned. If a user authenticates using a Layer-3 mechanism such as VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. or captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. this parameter has no effect.

NOTE: VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. IDs and VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. names cannot be listed together.

voip-profile

Applies a VOIP profile to the user role.

web-cc disable

Disable web content classification for this user role. User role bandwidth contracts associated with web content classification categories and reputation types will not enforced unless web content classification is enabled using the firewall web-content-classification command.

wispr

Apply WISPrWireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs. authentication to the specified user role.

Usage Guidelines

Every client in a user-centric network is associated with a user role. All wireless clients start in an initial role. From the initial role, clients can be placed into other user roles as they pass authentication.

Example

The following command configures a user role:

(host)[md](config) #user-role new-user

dialer default-dialer

pool pptp-pool-1

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

Config mode on Mobility Master.

/*]]>*/