Creating a User Role

User roles comprises of user role settings, firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policies, and bandwidth contracts. This section describes the procedure to create and delete a user role, and associate a firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy with that role.

The commands to associate an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. to a user role vary, depending upon the type of ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. being associated to that role. User roles are applied globally across all managed devices, so ethertype, MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. and session ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be applied to global user roles. However, routing access lists may vary between locations, so they are mapped to a user role in a local configuration setting.

The following procedure describes how to create a new user role:

  1. In the Managed Network node hierarchy, navigate to the Configuration > Roles & Policies > Roles .
  2. Click + to create a new role.
  3. Enter a Name for the new role and click Submit.
  4. Select the role created and click + under Rules of this role only table.
  5. Click one of the options in the Rule Type filed to select a rule and click OK.
  6. In the New Forwarding Rule section, configure all the parameters.
  7. Click Submit.
  8. Select one of the following options to add a policy to the role:
    • In the Policies tab select the role created and click + under the Policies table. Enter a Name for the policy and select a Policy type. Click Submit.
    • To associate an existing policy to a user role:
      • Select the Role from the Roles tab and click Show Advanced View in Roles <policy name> table.
      • Click + under the Policies tab.
      • Select Add an existing policy option and select a policy from the Policy name drop-down list.
      • Click Submit.
  9. (Optional) If the user role contains more than one firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. policy, use the up and down arrows to assign priorities to each role. The higher the policy on the list, the higher its priority.
  10. Click Show Advanced View and enter the configuration values as described in Table 1.
  11. Click Submit.
  12. Click Pending Changes.
  13. In the Pending Changes window, select the check box and click Deploy changes.
  14. Assign the user role to a AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile in the managed device. After assigning the user role, execute the show reference user-role <role> command on the managed device to see the profiles that reference this role. For more information, see Workflow for Assigning a User Role

Table 1: User Role Parameters

Parameter

Description

Name

Name of the user role. The character length of a user role is from 1-63 characters.

More

VLAN (optional)

Navigate to More > Network to assign VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to the user role. By default, a client is assigned a VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on the basis of the ingress VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. for the client to the managed device. You can override this assignment and configure the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID that is to be assigned to the user role.

Re-auth interval (optional)

Navigate to More > Network to configure time, in minutes, after which the client is required to reauthenticate. Enter a value between 0-4096. 0 disables reauthentication.

Default: 0 (disabled)

Max Sessions (optional)

Navigate to More > Network to configure the maximum number of sessions per user in this role. If the sessions reach the maximum value, any additional sessions from this user that are reaching the threshold are blocked till the session usage count for the user falls back below the configured limit.

The default is 65535. You can configure any value between 0-65535.

Deep packet inspection (optional)

Navigate to More > Network to enable or disable deep packet inspection. This setting is enabled by default.

Web content classification (optional)

Navigate to More > Network to enable or disable web content classification for all HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic. This setting is enabled by default.

YouTube education (optional)

Navigate to More > Network to enable or disable YouTube education. This setting is disabled by default. If enabled, the page redirects to YouTube education where non-educational videos are not streamed

and the user can enter a YouTube education enabled cookie (optional).

Open flow (optional)

Navigate to More > Network to enable or disable Software Defined Network for the user role. This setting is enabled by default.

VPN Dialer (optional)

Navigate to More > VPN to assign a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. dialer to a user role. For details about VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. dialer, see Virtual Private Networks.

Select a dialer from the drop-down list and assign it to the user role. This dialer will be available for download when a client logs in using captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. and is assigned this role.

L2TP Pool (optional)

Navigate to More > VPN to assign an L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. pool to the user role. For more details about L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. pools, see Virtual Private Networks.

Select the required L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. pool from the list to assign to the user role. The inner IP addresses of VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels using L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. will be assigned from this pool of IP addresses for clients in this user role.

PPTP Pool (optional)

Navigate to More > VPN to assign a PPTP Point-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. pool to the user role. For more details about PPTP Point-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. pools, see Virtual Private Networks.

Select the required PPTP Point-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. pool from the list to assign to the user role. The inner IP addresses of VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels using PPTP Point-to-Point Tunneling Protocol. PPTP is a method for implementing virtual private networks. It uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. will be assigned from this pool of IP addresses for clients in this user role.

VIA connection profile

Navigate to More > VPN to assign a VIA Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network. connection profile to the user role.

IDP profile (optional)

Navigate to More > Authentication to assign a IDP profile to the user role. For more details, refer to

Stateful NTLM profile (optional)

Navigate to More > Authentication to assign a stateful NTLM profile to the user role. For more details, refer to Configuring Stateful NT LAN Manager Authentication.

Stateful Kerberos profile (optional)

Navigate to More > Authentication to assign a stateful Kerberos profile to the user role. For more details, refer to Configuring Stateful Kerberos Authentication.

WISPr profile (optional)

Navigate to More > Authentication to assign a WISPr Wireless Internet Service Provider Roaming. The WISPr framework enables the client devices to roam between the wireless hotspots using different ISPs. profile to the user role.For more details, refer to WISPr Authentication.

Captive Portal Profile (optional)

Navigate to More > Authentication to assign a Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile to this role. For more details about Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profiles, see Captive Portal Authentication.

Captive Portal Check for Accounting

(optional)

Navigate to More > Authentication to enable or disable this setting. This setting is enabled by default. If disabled, RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting is done for an authenticated users irrespective of the captive-portal profile in the role of an authenticated user. If enabled, accounting is not done as long as the user's role has a captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile on it. Accounting will start when Auth or XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.-Add or CoA Change of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. changes the role of an authenticated user to a role which doesn't have captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. profile.

Bandwidth

Bandwidth (optional)

Navigate to Show Advanced View > Bandwidth to assign a bandwidth contract and provide an upper limit to upstream or downstream bandwidth utilized by clients in this role. You can select the Per User option to apply the bandwidth contracts on a per-user basis instead of to all clients in the role.

For more information, see Configuring Bandwidth Contracts.

Captive Portal

Captive Portal

This tab allows you to personalize the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. page. For details, refer to Personalizing the Captive Portal Page .

Deleting a User Role

The following procedure describes how to delete a user role:

  1. In the Managed Network node hierarchy, navigate to the Configuration > Roles & Policies > Roles tab on the WebUI.
  2. Select the Role and click the Delete icon.

You cannot delete a user-role that is referenced to profile or server derived role. Deleting a server referenced role will result in an error. Remove all references to the role and then perform the delete operation.