Every client in the Instant network is associated with a user role, which determines the client’s network privileges, the frequency of reauthentication, and the applicable bandwidth contracts.
|
Instant allows you to configuration of up to 32 user roles. If the number of roles exceed 32, an error message is displayed. |
The user role configuration on a
| Creating a User Role |
| Assigning Bandwidth Contracts to User Roles |
| Configuring Machine and User Authentication Roles |
You can create a user role by using the Instant UI or CLI.
To create a user role:
1. | Click the Security at the top right corner of Instant main window. The window is displayed. |
2. | Click Roles tab. The Roles tab contents are displayed. |
3. | Under Roles, click New. |
4. | Enter a name for the new role and click OK. |
|
You can also create a user role when configuring wireless or wired network profiles. For more information, see Configuring Access Rules for a WLAN SSID Profile and Configuring Access Rules for a Wired Profile |
To configure user roles and access rules:
(Instant AP)(config)# wlan access-rule <access-rule-name>
(Instant AP)(Access Rule <Name>)# rule <dest> <mask> <match> <protocol> <start-port> <end-port> {permit |deny | src-nat | dst-nat {<IP-address> <port> | <port>}}[<option1…option9>]
The administrators can manage bandwidth utilization by assigning maximum bandwidth rates, or bandwidth contracts to user roles. The administrator can assign a bandwidth contract configured in Kbps to upstream (client to the IAP) or downstream (IAP to clients) traffic for a user role. The bandwidth contract will not be applicable to the user traffic on the bridged out (same subnet) destinations. For example, if clients are connected to an SSID, you can restrict the upstream bandwidth rate allowed for each user to 512 Kbps.
By default, all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic. The assigned bandwidth will be served and shared among all the users. You can also assign bandwidth per user to provide every user a specific bandwidth within a range of 1 to 65535 Kbps. If there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed.
|
In the earlier releases, bandwidth contract could be assigned per SSID. In the current release, the bandwidth contract can also be assigned for each SSID user. If the bandwidth contract is assigned for an SSID in the Instant 6.2.1.0-3.4.0.0 image, and when the IAP is upgraded to 6.4.0.2-4.1 release version, the bandwidth configuration per SSID will be treated as a per-user downstream bandwidth contract for that SSID. |
1. | Click the Security at the top right corner of Instant main window. The window is displayed. |
2. | Click the Roles tab. The tab contents are displayed. |
3. | Create a new role or select an existing role. |
4. | Under Access Rules, click | . The window is displayed.
5. | Select | from the drop-down list.
6. | Specify the downstream and upstream rates in Kbps. If the assignment is specific for each user, select the | checkbox.
7. | Click | .
8. | Associate the user role to a WLAN SSID or wired profile. |
You can also create a user role and assign bandwidth contracts while configuring an SSID or wired profile.
To assign a bandwidth contract in the CLI:
(Instant AP)(config)# wlan access-rule <name>
(Instant AP) (Access Rule <name>)# bandwidth-limit {downstream <kbps>| upstream <kbps>|peruser {downstream <kbps>| upstream <kbps>}}
(Instant AP) (Access Rule <name>)# end
(Instant AP) # commit apply
To associate the access rule to a wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# access-rule-name <access-rule-name>
(Instant AP)(wired ap profile <name>)# end
(Instant AP) # commit apply
You can assign different rights to clients based on whether their hardware device supports machine authentication. Machine Authentication is only supported on Windows devices, so this can be used to distinguish between Windows devices and other devices such as iPads.
You can create any of the following types of rules:
| Machine Auth only role - This indicates a Windows machine with no user logged in. The device supports machine authentication and has a valid RADIUS account, but a user has not yet logged in and authenticated. |
| User Auth only role - This indicates a known user or a non-Windows device. The device does not support machine auth or does not have a RADIUS account, but the user is logged in and authenticated. |
When a device does both machine and user authentication, the user obtains the default role or the derived role based on the RADIUS attribute.
You can configure machine authentication with role-based access control using the Instant UI or CLI.
To configure machine authentication with role-based access control, perform the following steps:
1. | In the Machine auth only and User auth only roles. | tab of the WLAN ( or ) or Wired Network configuration ( or ) window, under , create
2. | Configure access rules for these roles by selecting the role, and applying the rule. For more information on configuring access rules, see Configuring Access Rules for Network Services. |
3. | Select Enforce Machine Authentication and select the Machine auth only and User auth only roles. |
4. | Click Finish to apply these changes. |
To configure machine and user authentication roles for a WLAN SSID:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name># set-role-machine-auth <machine-authentication-only> <user-authentication-only>
(Instant AP)(SSID Profile <name># end
(Instant AP)# commit apply
To configure machine and user authentication roles for wired profile:
(Instant AP)(config)# wired-port-profile <name>
(Instant AP)(wired ap profile <name>)# set-role-machine-auth <machine-authentication-only> <user-authentication-only>
(Instant AP)(wired ap profile <name>)# end
(Instant AP)# commit apply