Configuring User Roles

Every client in the Instant network is associated with a user role that determines the network privileges for a client, the frequency of reauthentication, and the applicable bandwidth contracts.

 

Instant allows you to configure up to 32 user roles. If the number of roles exceed 32, an error message is displayed.

The user role configuration on an Instant AP involves the following procedures:

Creating a User Role

Assigning Bandwidth Contracts to User Roles

Configuring Machine and User Authentication Roles

Configuring Downloadable User Roles (DUR)

ClearPass Policy Manager Certificate Validation for Downloadable User Roles (DUR)

Creating a User Role

You can create a user role by using the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the Old WebUI

To create a user role:

1. Click the Security link located directly above the Search bar in the Instant main window. The Security window is displayed.

2. Click the Roles tab. The Roles tab contents are displayed.

3. Under Roles, click New.

4. Enter a name for the new role and click OK.

5. Click OK in the Roles tab to save the changes.

In the New WebUI

To create a user role:

1. Go to Configuration > Security.

2. Click the Roles tab. The Roles tab contents are displayed.

3. Under Roles, click +.

4. Enter a name for the new role and click OK.

5. Click Savein the Roles tab.

 

You can also create a user role when configuring wireless or wired network profiles. For more information, see In the Old WebUI and In the Old WebUI.

In the CLI

To configure user roles and access rules:

(Instant AP)(config)# wlan access-rule <access-rule-name>

(Instant AP)(Access Rule <Name>)# rule <dest> <mask> <match> <protocol> <start-port> <end-port> {permit|deny|src-nat [vlan <vlan_id>|tunnel]|dst-nat {<IP-address> <port>|<port>}}[<option1…option9>]

Assigning Bandwidth Contracts to User Roles

The administrators can manage bandwidth utilization by assigning either maximum bandwidth rates, or bandwidth contracts to user roles. The administrator can assign a bandwidth contract configured in KbpsKilobits per second. to upstream (client to the Instant AP) or downstream (Instant AP to clients) traffic for a user role.

By default, all users that belong to the same role share a configured bandwidth rate for upstream or downstream traffic. The assigned bandwidth will be served and shared among all the users. You can also assign bandwidth rate per user to provide every user a specific bandwidth within a range of 1–65,535 KbpsKilobits per second.. If there is no bandwidth contract specified for a traffic direction, unlimited bandwidth is allowed.

 

In the earlier releases, bandwidth contract could be assigned per SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.. In the current release, the bandwidth contract can also be assigned for each SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. user. If the bandwidth contract is assigned for an SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. in the Instant 6.2.1.0-3.4.0.0 version, and when the Instant AP is upgraded to a later release version, the bandwidth configuration per SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. will be treated as a per-user downstream bandwidth contract for that SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

The bandwidth contract for a user role can be applied to an Instant AP or to a cluster.

Example

In a cluster of 5 Instant APs with an upstream WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. limit of 100 MbpsMegabits per second, you must set the WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. limit to 20 MbpsMegabits per second for each Instant AP, in order to meet the requirement of maintaining the WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. limit of 100 MbpsMegabits per second. However, clients cannot exceed 20 MbpsMegabits per second when needed, even if the cluster output is less then 100 MbpsMegabits per second.

If you want to add more Instant APs, you must re-calculate the WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. limit and manually apply it. It is recommended that you apply the WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. limit at cluster level as it is more flexible. Also, there is no need to manually re-calculate the WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. limit if additional Instant APs are added or removed, in order to meet the upstream WANWide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. constraints.

In the Old WebUI

1. Click the Security link located directly above the Search bar in the Instant main window. The Security window is displayed.

2. Click the Roles tab. The Roles tab contents are displayed.

3. Create a new role (see Creating a User Role) or select an existing role.

4. Under Access Rules, click New. The New Rule window is displayed.

5. Select Bandwidth Contract from the Rule type drop-down list.

6. Specify the downstream and upstream rates in KbpsKilobits per second.. If the assignment is specific for each user, select the Per user check box.

7. Click OK.

8. Click OK in the Roles tab to save the changes.

9. Associate the user role to a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. or a wired profile.

10. To associate the user role to a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. or a wired profile, navigate to the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or Wired window.

Go to the Access tab. Move the slider to Role-based in the Access Rules section.

Under Role Assignment Rules, click New.

Select the user role from the Role drop-down list and then click OK.

Click Next and then click Finish.

In the New WebUI

1. Go to Configuration > Security.

2. Expand Roles tab.

3. Create a new role (see Creating a User Role) or select an existing role.

4. Under Access Rules, click +. The New rule window is displayed.

5. Select Bandwidth Contract from the Rule type drop-down list.

6. Specify the downstream and upstream rates in KbpsKilobits per second.. If the assignment is specific for each user, select the Per user check box.

7. Click OK.

8. Click Save.

9. To associate the user role to a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. or a wired profile, navigate to the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or Wired window.

Go to Configuration > Networks and select a network profile to modify and click Edit.

Select Access tab. Select Role-based in the Access Rules drop-down list.

Under Role Assignment Rules, click +.

Select the user role from the Role drop-down list and then click OK.

Click Finish.

In the CLI:

To assign a bandwidth contract in the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:

(Instant AP)(config)# wlan access-rule <name>

(Instant AP) (Access Rule <name>)# bandwidth-limit {downstream <kbps>|upstream <kbps>|peruser {downstream <kbps>| upstream <kbps>}}

To associate the access rule to a wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# access-rule-name <access-rule-name>

Configuring Machine and User Authentication Roles

You can assign different rights to clients based on whether their hardware device supports machine authentication. Machine authentication is only supported on Windows devices, so that this can be used to distinguish between Windows devices and other devices such as iPads.

You can create any of the following types of rules:

Machine Auth only role—This indicates a Windows machine with no user logged in. The device supports machine authentication and has a valid RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  account, but a user has not yet logged in and authenticated.

User Auth only role—This indicates a known user or a non-Windows device. The device does not support machine authentication or does not have a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  account, but the user is logged in and authenticated.

When a device does both machine and user authentication, the user obtains the default role or the derived role based on the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attribute.

You can configure machine authentication with role-based access control using the WebUI or the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the Old WebUI

To configure machine authentication with role-based access control:

1. In the Access tab of the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard (New WLAN or Edit <WLAN-profile>) or in the wired profile configuration window (New Wired Network or Edit Wired Network), click the Enforce Machine Authentication check box.

2. Configure access rules for these roles by selecting the roles in the Machine auth only and User auth only drop-down lists. For more information on configuring access rules, see In the Old WebUI.

3. Select Enforce Machine Authentication and select the Machine auth only and User auth only roles.

4. Click Finish to apply these changes.

In the New WebUI

To configure machine authentication with role-based access control:

1. Go to Configuration > Networks. To modify an existing network profile, select the profile and click Edit. To create a new network, click +.

2. Select the Access tab.

3. Select Role-based from the Access Rules drop-down list.

4. Toggle the Enforce Machine Authentication switch to enable.

5. Configure access rules for these roles by selecting the roles in the Machine auth only and User auth only drop-down lists. For more information on configuring access rules, see In the Old WebUI.

6. Click Next and then click Finish to apply these changes.

In the CLI

To configure machine and user authentication roles for a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.:

(Instant AP)(config)# wlan ssid-profile <name>

(Instant AP)(SSID Profile <name>)# set-role-machine-auth <machine_only> <user_only>

To configure machine and user authentication roles for a wired profile:

(Instant AP)(config)# wired-port-profile <name>

(Instant AP)(wired ap profile <name>)# set-role-machine-auth <machine_only> <user_only>

Configuring Downloadable User Roles (DUR)

Aruba Instant and ClearPass Policy Manager include support for centralized policy definition and distribution. Aruba Instant now supports downloadable user roles. When ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. If the role is not defined on the Instant AP, the role attributes can also be downloaded automatically.

In order to provide highly granular per-user level access, user roles can be created when a user has been successfully authenticated. During the configuration of a policy enforcement profile in ClearPass Policy Manager, the administrator can define a role that should be assigned to the user after successful authentication. In RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication, when ClearPass Policy Manager successfully authenticates a user, the user is assigned a role by ClearPass Policy Manager. If the role is not defined on the Instant AP, the role attributes can also be downloaded automatically. This feature supports roles obtained by the following authentication methods:

802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. (WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. and wired users)

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication

Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

In the CLI

You can enable role download using the Instant CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.:

(Instant AP)(config)# wlan ssid-profile <profile_name>

(Instant AP)(SSID Profile <profile_name>)# download-role

(Instant AP)(SSID Profile <profile_name>)# end

(Instant AP)# commit apply

To configure a ClearPass Policy Manager username and password for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication:

(Instant AP)(config)# wlan auth-server <profile_name>

(Instant AP)(Auth Server <profile_name>)# cppm {username <username> password <password>}

(Instant AP)(Auth Server <profile_name>)# end

(Instant AP)# commit apply

Execute the following command to check if role download is enabled on the network profile:

(Instant AP)# show network <profile_name>

ClearPass Policy Manager Certificate Validation for Downloadable User Roles (DUR)

When a ClearPass Policy Manager server is configured as the domain for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication for downloading user roles, in order to validate the ClearPass Policy Manager customized CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate., Instant APs are required to publish the root CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. for the HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. server to the well-known URIUniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format. (http://<clearpass-fqdn>/.well-known/aruba/clearpass/https-root.pem). The Instant AP must ensure that an FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. is defined in the above URIUniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format. for the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server and then attempt to fetch the trust anchor by using the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet..

Upon configuring the domain of the ClearPass Policy Manager server for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  authentication along with a username and password, the Instant AP tries to retrieve the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. from the above well-known URIUniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format. and store it in flash memory. However, if there is more than one ClearPass Policy Manager server configured for authentication, the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. must be uploaded manually.

In the CLI:

To retrieve the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. from the ClearPass Policy Manager FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.:

(Instant AP)# download-cert clearpassca <url> format pem

To copy the ClearPass Policy Manager CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. from the TFTPTrivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host.  server to the Instant AP:

(Instant AP)# copy tftp <addr> <file> clearpassca format pem

To clear the ClearPass Policy Manager CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. from the Instant AP:

(Instant AP)# clear-cert clearpassca

To view the current ClearPass Policy Manager CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. uploaded on the Instant AP:

(Instant AP)# show clearpassca

To view the ClearPass Policy Manager CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. count in the AP checksum:

(Instant AP)# show ap checksum

/*]]>*/