user-role

user-role <name>

access-list {eth|mac|session} <acl> [ap-group <group>] [position <number>]

bw-contract

app <appname> <bw-contract_name> {downstream|upstream}

appcategory <appcategory-name> <bw-contract_name> {downstream|upstream}

exclude {app|appcategory}

web-cc-category <web-cc-category-name> <bw-contract_name> {downstream|upstream}

web-cc-reputation {high-risk|low-risk|moderate-risk|suspicious|trustworthy} <bw-contract_name> {downstream|upstream}

<bw-contract-name> [per-user|per-apgroup]{downstream|upstream}

captive-portal {<STRING>|check-for-accounting}

dialer <name>

dpi

max-sessions <number>

no ...

openflow-enable

pool {l2tp|pptp|via-dhcp} <name>

qos-profile <profile>

reauthentication-interval [<minutes>|<seconds>]

registration-role

robust-age-out

sso <profile>

stateful-kerberos <profile>

stateful-ntlm <ntlm_profile_name>

via <profile>

vlan {VLAN ID|VLAN name}

web-cc disable

wispr <wispr_profile_name>

Description

This command configures a user role.

Every client in a user-centric network is associated with a user role. All wireless clients start in an initial role. From the initial role, clients can be placed into other user roles as they pass authentication.

Parameter

Description

<name>

Role name

access-list

Type of ACL to be applied:

eth: Ethertype ACL, configured with the ip access-list eth command.

mac: MAC ACL, configured with the ip access-list mac command.

session: Session ACL, configured with the ip access-list session command.

<acl>

Name of the configured ACL.

ap-group

(Optional) AP group to which this ACL applies.

position

(Optional) Position of this ACL relative to other ACLs that you can configure for the user role. 1 is the top.

Default: (last)

bandwidth- contract

Name of a bandwidth contract or rate limiting policy configured with the aaa bandwidth-contract command. The bandwidth contract must be applied to either downstream or upstream traffic.

app

Name of the application bandwidth contract configured for the user role. The bandwidth contract must be applied to either downstream or upstream traffic.

NOTE: For a complete list of supported applications, issue the command show dpi application all.

appcategory

Name of the application category bandwidth contract configured for the user role. The bandwidth contract must be applied to either downstream or upstream traffic.

NOTE: For a complete list of supported applications, issue the command show dpi application category all.

web-cc-category|web-cc-reputation <cc-name> <bwc-name>

Apply a bandwidth conract to the specified web content category or reputation level. Bandwidth contracts can be applied to user-defined web content categories created using the web-cc command. The five web content reputation levels are predefined in ArubaOS.

NOTE: bandwidth contracts applied to a web content category or reputation will not be enforced unless web content classification is enabled using the firewall web-content-classification command.

Range: Available reputation categories are:

high-risk

low-risk

moderate-risk

suspicious

trustworthy

exclude
app|appcategory

Excludes an application or application category from being configured as a bandwidth contract.

downstream

Applies the bandwidth contract to traffic from the controller to the client.

per-user

Specifies that bandwidth contract is assigned on a per-user basis instead of a per-role basis. For example, if two users are active on the network and both are part of the same role with a 500 Kbps bandwidth contract, then each user is able to use up to 500 Kbps.

Default: (per role)

upstream

Applies the bandwidth contract to traffic from the client to the controller.

captive-portal <STRING>

Name of the captive portal profile configured with the aaa authentication captive-portal command.

check-for-accounting

If disabled, RADIUS accounting is done for an authenticated users irrespective of the captive-portal profile in the role of an authenticated user. If enabled, accounting is not done as long as the user's role has a captive portal profile on it. Accounting will start when Auth/XML-Add/CoA changes the role of an authenticated user to a role which doesn't have captive portal profile.

Default: Enabled

dialer

If VPN is used as an access method, name of the VPN dialer configured with the vpn-dialer command. The user can login using captive portal and download the dialer. The dialer is a Windows application that configures the VPN client.

dpi

Role specific DPI configuration.

disable

Disable role specific DPI configuration.

max-sessions

Maximum number of datapath sessions per user in this role.

Range: 0-65535

Default: 65535

no

Negates any configured parameter.

openflow-enable

Enables SDN for the user role.

Default: Enabled

pool

If VPN is used as an access method, specifies the IP address pool from which the user’s IP address is assigned:

l2tp: When a user negotiates an L2TP or IPsec session, specifies an address pool configured with the ip local pool command.

pptp: When a user negotiates a PPTP session, specifies an address pool configured with the pptp ip local pool command.

via-dhcp: Defines an external DHCP server address instead of internal L2TP pool and the managed device gets the IP address from an external DHCP server.

NOTE: L2TP pool and DHCP pool configuration in a role are mutually exclusive.

<name>

Name of the L2TP or PPTP or DHCP pool to be applied.

qos-profile

Applies a QOS profile to the user role.

reauthentication-interval

Interval, in minutes or seconds, after which the client is required to reauthenticate.

Range: 0-4096 in minutes

0-245760 in seconds

Default: 0(disabled)

registration-role

If enabled, a user is forced to do MAC-based authentication every time the user connects to the network.

Default: disabled

robust-age-out

Apply Robust Age-out mechanism on wired passive clients.

Default: Disabled.

NOTE: This feature impacts system load and performance. Enable this mechanism for a limited number of clients only.

sso

Applies an SSO profile to the user role.

statefule-kerberos

Applies a stateful Kerberos profile to the user role.

stateful-ntlm

Apply stateful NTLM authentication to the specified user role

via

Applies a VIA connection profile to the user role.

vlan

Identifies the VLAN ID or VLAN name to which the user role is mapped. This parameters works only when using Layer-2 authentication such as 802.1X or MAC address, ESSID, or encryption type role mapping because these authentications occur before an IP address is assigned. If a user authenticates using a Layer-3 mechanism such as VPN or captive portal this parameter has no effect.

NOTE: VLAN IDs and VLAN names cannot be listed together.

voip-profile

Applies a VOIP profile to the user role.

web-cc disable

Disable web content classification for this user role. User role bandwidth contracts associated with web content classification categories and reputation types will not enforced unless web content classification is enabled using the firewall web-content-classification command.

wispr

Apply WISPr authentication to the specified user role.

Example

The following command configures a user role:

(host)[md](config) #user-role new-user

dialer default-dialer

pool pptp-pool-1

Command History

Release

Modification

ArubaOS 8.8.0.0

Added a new sub-parameter, via-dhcp, to support external DHCP server address pool instead of internal L2TP pool.

Added a new parameter, robust-age-out, to apply a new age-out mechanism on wired passive clients.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Requires the PEFNG license.

Config mode on Mobility Conductor.