Wireless Access

While configuring a AAA profile,

The "initial role", "mac authentication default role", "dot1x authentication default role" could be mapped with one of the many default user roles viz:

1. authenticated
2. cpbase
3. default-iap-user-role
4. default-via-role
5. default-vpn-role
6. denyall
7. guest
8. guest-logon
9. logon
10. tpl-Authenticated
11. voice

However, I am failing to find the significance of each of these and its applicability.

Do we have some study documentation giving proper insight on these profiles and its applicability?

 

 

The "initial role" is what you want a user to get if they do not authenticate.  If there is an Open SSID, a WEP SSID or  a WPA/2-PSK SSID the initial role is what they get upon association.  If the initial role is like an "allowall" role like authenticated, the user will simply be able to pass traffic without doing anything.  If the initial role is "logon", which is a captive portal role, the user will be presented with the captive portal upon successful association.

 

The default 802.1x role is what a user gets if that user passes 802.1x authentication.  This of course can be overridden with radius attributes returned from the server, or server derivation rules.

 

If mac authentication is enabled in the AAA profile, if the user passes mac authentication in combination with something else, the default mac authentication will be come the resulting user's role.

 

I hope that makes sense..

For a listing of the default policies and roles and what is included as part of them; refer to the following section of the ArubaOS User Guide:   Basic System Defaults

 

 

 

Could I just check something - when using a dot1x VAP does the initial role have much effect? We have been using denyall but were advised to change to logon, I'm doing a bit of testing but I can't see how to actually view my current role - if I authenticate successfully then I appear in the user table with the authenticated role, but if I deliberately enter an incorrect password I don't know how to view what role I am in at that point. I'm not in the user table as I haven't authenticated, and the role isn't show in AP association table.

 

Any ideas?

 

Thanks

Guy

Initial role is bit confusing to me. If you have authentication enabled, isn't the user denied access if they have wrong PSK or credentials? How does initial role work in that case?

Yes that's my understanding, but I'm not sure how this works with a dot1x SSID

Initial role is what you will get when doing psk. Mac-auth and/or 1x will give other roles. You make the default roles for each of these in the AAA profile which is what the client is given if the radius server returns only Radius Accept.
If you fail the psk you will not get any role.

Thanks John,

 

So up until the RADIUS accept is received is it true to say that the client doesn't have a role? In which case is it even necessary to have an initial role specified in dot1x AAA profiles (I'm assuming having one doesn't really break anything as we've had one specified for years, though it is the denyall role)?

The initial role is only used for a PSK, WEP or Open SSID, and is not used in a 802.1x transaction.

 

Closing this thread because it is two years old.

Hello Adnan

 

Did cjoseph answer your question? Or - was the question more related to the various User Roles themselves?

 

Some information regarding the topic of User Roles

 

Link to 6.4 Userguide about User Roles

Slideshare link to a 2015 Atmosphere breakout session on the related topic Firewall