Local User Roles (LUR) On OSCX

By esupport posted Mar 31, 2020 11:05 AM

  • Aruba OSCX 6300
  • ClearPass Server


The software on the switch used in this article is FL.10.04.0001AJ

The software on the Clearpass Server used in this article is 6.7.11



Local User Roles are configured locally on the switch. User roles define the traffic that the end device should be given access to, the VLAN that the end device should be a part of and other options are available as well. The user roles help a Network Administrator to implement better security and gives more control over the device authorization if a device authentication is accepted or rejected.


The local user roles consist of:

  • classifiers, and
  • policies

The classifiers and policies are user to manipulate the traffic flow for the clients that fall into that specific user role. 

A user role can have multiple classes and multiple policies.




1) Configure the radius server on the switch with the following command:

switch(config)# radius-server host <RADIUS_SERVER IP ADDRESS> key [plaintext | ciphertext] <key>


2) Enable mac-authentication/dot1x globally as well as on the ports on which you wish to enable authentication in the switch. In this case I have used mac-authentication and port number 1/1/2:


3) Configure the classifiers and policies with the following commands:


In the class you may mention any subnet and traffic type that you want to work on. You may mention IP, TCP, UDP. .

In the policy the decisions are taken as to what you want to be done with the traffic that was declared under the class. There are many options available under a policy like drop, dscp, redirect, . .


4) Configure the Local User Role as follows:

In this example:

  • the user role name is "abbas"
  • the policy name is allpol which is associated with the user role
  • untagged vlan ID used is 404



a) Add the switch in the Clearpass server as a NAD device. Policy Manager--> Configuration--> Network --> Devices


b) Add a profile. Policy Manager--> Configuration--> Enforcement--> Profiles:



NOTE: The Value for the Attribute is the User role name that is configured on the switch and has to be exactly the same.


c) Create a policy and call the profile inside that policy. Policy Manager--> Configuration--> Enforcement--> Policies


d) Create a Mac-Authentication Service that enforces the rules mentioned in the Policy. Policy Manager--> Configuration--> Services





On the switch:

Verify the User Role being applied to the port using the following command:


To get information about the user role:

switch# show port-access role


Verify detailed information about the RADIUS REQUEST and RESPONSE on CLEARPASS in the Access Tracker.