You are here: Roles and Policies > Configuring User Roles
Previous TopicNext Topic

Configuring User Roles

Every client in the Instant network is associated with a user role, which determines the client’s network privileges, the frequency of reauthentication, and the applicable bandwidth contracts. The user role configuration on aIAP involves the following procedures:

Creating a User Role
Assigning Bandwidth Contracts to User Roles
Configuring Machine and User Authentication Roles

Creating a User Role

You can create a user role by using Instant UI or CLI.

In the Instant UI

To create a user role:

1. Click the Security at the top right corner of Instant main window. The Security window is displayed.
2. Click Roles tab. The Roles tab contents are displayed.
3. Under Roles, click New.
4. Enter a name for the new role and click OK.

 

You can also create a user role when configuring wireless or wired network profiles. For more information, see Configuring Access Rules for a WLAN SSID Profile and Configuring Access Rules for a Wired Profile

In the CLI

To configure user roles and access rules:

(Instant Access Point)(config)# wlan access-rule <access-rule-name>

(Instant Access Point)(Access Rule <Name>)# rule <dest> <mask> <match> <protocol> <start-port> <end-port> {permit |deny | src-nat | dst-nat {<IP-address> <port> | <port>}}[<option1…option9>]

Assigning Bandwidth Contracts to User Roles

The administrators can manage bandwidth utilization by assigning maximum bandwidth rates, or bandwidth contracts to user roles. The administrator can assign a bandwidth contract configured in Kbps to upstream (client to the IAP) or downstream (IAP to clients) traffic for a user role. The bandwidth contract will not be applicable to the user traffic on the bridged out (same subnet) destinations. For example, if clients are connected to an SSID, you can restrict the upstream bandwidth rate allowed for each user to 512 Kbps.

By default, all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic. The assigned bandwidth will be served and shared among all the users. You can also assign bandwidth per user to provide every user a specific bandwidth within a range of 1 to 65535 Kbps. If there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed.

 

In the earlier releases, bandwidth contract could be assigned per SSID. In the current release, the bandwidth contract can also be assigned for each SSID user. If the bandwidth contract is assigned for an SSID in Instant 6.2.1.0-3.4.0.0 image and when the IAP is upgraded to 6.3.1.1-4.0 release version, the bandwidth configuration per SSID will be treated as per-user downstream bandwidth contract for that SSID.

Assigning Bandwidth Contracts in the InstantUI

1. Click the Security at the top right corner of Instant main window. The Security window is displayed.
2. Click Roles tab. The Roles tab contents are displayed.
3. Create a new role or select an existing role.
4. Under Access Rules, click New. The New Rule window is displayed.
5. Select Bandwidth Contract from the Rule Type drop-down.

6. Specify the downstream and upstream rates in Kbps. If the assignment is specific for each user, select the Peruser checkbox.
7. Click OK.
8. Associate the user role to a WLAN SSID or wired profile.

You can also create a user role and assign bandwidth contracts while configuring an SSID or wired profile.

Assigning a bandwidth contract using Instant CLI:

To assign a bandwidth contract in the CLI:

(Instant Access Point)(config)# wlan access-rule <name>

(Instant Access Point) (Access Rule <name>)# bandwidth-limit {downstream <kbps>| upstream <kbps>| peruser { downstream <kbps>| upstream <kbps>}}

(Instant Access Point) (Access Rule <name>)# end

(Instant Access Point) # commit apply

To associate the access rule to a wired profile:

(Instant Access Point)(config)# wired-port-profile <name>

(Instant Access Point)(wired ap profile <name>)# access-rule-name <access-rule-name>

(Instant Access Point)(wired ap profile <name>)# end

(Instant Access Point) # commit apply

Configuring Machine and User Authentication Roles

You can assign different rights to clients based on whether their hardware device supports machine authentication. Machine Authentication is only supported on Windows devices, so this can be used to distinguish between Windows devices and other devices such as iPads.

You can create any of the following types of rules:

Machine Auth only role - This indicates a Windows machine with no user logged in. The device supports machine authentication and has a valid RADIUS account, but a user has not yet logged in and authenticated.
User Auth only role - This indicates a known user or a non-Windows device. The device does not support machine auth or does not have a RADIUS account, but the user is logged in and authenticated.

When a device does both machine and user authentication, the user obtains the default role or the derived role based on the RADIUS attribute.

You can configure machine authentication with role-based access control using Instant UI or CLI.

In the Instant UI

To configure machine authentication with role-based access control, perform the following steps:

1. In the Access tab of the WLAN (New WLAN or Edit <WLAN-profile>) or Wired Network configuration (New Wired Network or Edit Wired Network) window, under Roles, create Machine auth only and User auth only roles.
2. Configure access rules for these roles by selecting the role, and applying the rule. For more information on configuring access rules, see Configuring Access Rules.
3. Select Enforce Machine Authentication and select the Machine auth only and User auth only roles.
4. Click Finish to apply these changes.

In the CLI

To configure machine and user authentication roles for a WLAN SSID:

(Instant Access Point)(config)# wlan ssid-profile <name>

(Instant Access Point)(SSID Profile <name># set-role-machine-auth <machine-authentication-only> <user-authentication-only>

(Instant Access Point)(SSID Profile <name># end

(Instant Access Point)# commit apply

 

To configure machine and user authentication roles for wired profile:

(Instant Access Point)(config)# wired-port-profile <name>

(Instant Access Point)(wired ap profile <name>)# set-role-machine-auth <machine-authentication-only> <user-authentication-only>

(Instant Access Point)(wired ap profile <name>)# end

(Instant Access Point)# commit apply