Limitations Applying Role Policies to Users

You must be aware of some limitations in applying roles to a user.

  • Role-based policies are only supported in proxy-mode AAA WLANs, where proxy AAA method is used for authentication. If the authentication method is non-proxy AAA, where the AP authenticates the user, the user equipment (UE) cannot be determined and therefore, user-role policies are not supported on non-proxy mode AAA WLANs.
  • Typically, the RADIUS/AAA servers return a user attribute to the controller, and the controller assigns it to an UE. However, you must establish a mapping between the user attribute and the user role, so that the user role policy can be applied to the UE. The attribute-role mapping is configured within the AAA policy.
  • User Traffic Profiles are configured with various policies such as rate limiting so when a profile is applied to a WLAN, the policies in the profile are applied to all the UEs in the WLAN. The policies can also be applied to a user role in a WLAN, but not all the polices defined in the profile are applied to the role.

    If a role-based VLAN policy is defined in the profile, it cannot be applied to the WLAN if its authenticated based on a L7 method (WebAuth or Hotspot/WISPr). This is because when a VLAN is applied on a per-role basis for a L7 authentication method, the user receives an IP address via DHCP before the UE is authenticated - this happens at layer 3 or 4, and you cannot authenticate the UE and assign a role to it till layer 7 is reached. This results in a mismatch between the VLAN IDs set within the roles, and could possibly lead to service disruptions.

  • Precedence profiles are configured at the WLAN level, but impact the manner in which roles are assigned. The manner in which the profile is defined, indicates the order in which policies defined within the profile are assigned. The order of priorities can be customized. For example, if you have WLAN5 configured with VLAN ID 5, An OS policy configured with an iOS VALN ID 10, and a role policy assigned to a student with VALN ID 40, then there are multiple orders one can set when a student user with iOS connects to WLAN 5.
  • You can assign a UE to a role through RADIUS, or you can use RADIUS attributes to apply policies. However, using RADIUS attributes take precedence over assigning UEs to a role (though it is easy to configure, as the only element required to authenticate the UE is the role information).

    In the RADIUS attributes method, each policy, such a rate limiting or user traffic profile has a unique RADIUS attribute. Therefore, specifying the RADIUS attribute for a policy will override all other forms of the controller policy. For example, if a UE is already assigned to VLAN 7 through RADIUS, setting a RADIUS attribute for VLAN IDs to 9 will override all VLAN=7 configurations in say WLANs, OS policies, role policies etc.

Parent topic: Working with Users and Roles