Access Role Profile
The Unified Profile Access Role Profile Screen displays all configured Access Role Profiles and is used to create, clone, edit, and delete Access Role Profiles. An Access Role Profile contains the various UNP properties (e.g., QoS Policy List attached to the UNP, Captive Portal Authentication) for users assigned to the profile. In a wireless-centric network, an Access Role Profile is considered as a user role with which every client in the wireless-centric network is associated.
Note: The Default WLAN Profile is a built-in profile for AOS Switches to set up edge infrastructure for a WLAN. Only the Auth Flag, Mobile Tag Status, and Policy List fields can be modified. However, you can clone the profile to create a new profile. Also note that the Default WLAN Profile cannot be deleted.
Creating an Access Role Profile
Click on the Add icon. Enter a Profile Name and configure the profile as described below, then click on the Create button. When you are finished, select the checkbox next to the profile and click on the Apply to Devices button to assign the profile to switches/wireless devices on the network.
Note: You can select a device type from the Highlight drop-down menu at the top of the screen to highlight configuration parameters for specific device types (6x, 7x, 8x). Selecting the "Highlight attributes applicable for 5x" option does not show a 5x indicator for any of the attributes, as only the profile name is applicable to 5x devices. In addition, 5x devices do not support dynamic VLAN configuration. Make sure the VLAN specified for the Access Role profile already exists.
Access Role Profile Attributes
General
- Auth Flag - Enables/Disables authentication (not supported on wireless devices and ignored when applied to those devices).
- Mobile Tag Status - Enables/Disables classification of tagged packets received on mobile ports (not supported on wireless devices and ignored when applied to those devices).
- Redirect Status - Enables/Disables Captive Portal Redirect (not supported on wireless devices and ignored when applied to those devices). Note that if Redirect Status is enabled, the Access Role Profile can only map to a VLAN when applying the profile to a device.
- Policy List - An Access Role Profile can also be configured with an existing Policy List. The set of rules within the Policy List are then applied to the traffic that passes though switches/wireless devices. Only one Policy List is allowed per profile, but multiple profiles may use the same Policy List. Select a Policy List for the profile from the drop-down menu. You can also click the "Add New" link to go to the Unified Policy Lists Screen to create a new one. An existing Policy List can be a Unified Policy List or a Policy List created in PolicyView - Expert Mode. See Note below for additional information.
- Location Policy Name - Select a Location Access Policy from the drop-down menu.
- Period Policy Name - Select a Period Policy from the drop-down menu.
- Inactivity Interval - The amount of time, in seconds, before an authenticated device is automatically logged out of the network due to inactivity (MAC address for the device has aged out). This timer value applies only to devices learned in the profile.
Note: You can use a Unified Policy List or a Policy List created in PolicyView - Expert Mode in an Access Role Profile. If you use a Policy List in an Access Role Profile, you must apply the Access Role Profile to the same devices selected for the policies contained in the Policy List. Also note that policies created in PolicyView can only be applied to AOS Devices, not to APs.
Bandwidth Control Settings
- Upstream Bandwidth - The maximum bandwidth limit allocated for ingress traffic on UNP ports assigned to the profile. If the maximum ingress bandwidth value is set to zero, all ingress traffic is allowed on the UNP port. (Not supported on AOS 7.3.4 switches and ignored when applied to those devices.)
- Downstream Bandwidth - The maximum bandwidth limit allocated for egress traffic on UNP ports assigned to the profile. If the maximum egress bandwidth value is set to zero, all egress traffic is allowed on the UNP port. (Not supported on AOS 7.3.4 switches and ignored when applied to those devices.)
- Upstream Burst - The maximum ingress depth value that is applied to traffic on UNP ports that are assigned to the profile. This value determines how much the traffic can burst over the maximum ingress bandwidth rate. The maximum ingress depth value is configured in conjunction with the maximum ingress bandwidth parameter. When the ingress depth value is reached, the switch starts to drop packets. (Not supported on AOS 7.3.4 switches and ignored when applied to those devices.)
- Downstream Burst - The maximum egress depth value that is applied to traffic on UNP ports that are assigned to profile. This value determines how much the traffic can burst over the maximum egress bandwidth rate. The maximum egress depth value is configured in conjunction with the maximum egress bandwidth parameter. When the egress depth value is reached, the switch starts to drop packets. (Not supported on AOS 7.3.4 switches and ignored when applied to those devices.)
Client Session Logging
- Client Session Logging - Enables/Disables client session logging.
- Client Connection Logging Level - Select a logging level:
- Logging HTTP/HTTPs - Log only the HTTP/HTTPs web session of wireless clients.
- Logging ALL - Log all sessions of wireless clients, including HTTP/HTTPs.
- None - Log only client online/offline behavior, without session details.
Web Content Filtering (WCF)
- WCF Profile - Select a WCF Profile from the drop-down to include in the Access Role Profile. If necessary, click on Add New to bring up the WCF Profile Screen to add a new profile. An Access Role Profile can only contain one WCF Profile.
Walled Garden
- Wireless Client Social Login Vendor - Select a vendor(s) to allow a wireless client to authenticate through a social media vendor (Facebook, Google, and Rainbow are supported). OmniVista will automatically configure the Allowlist Domains for the selected vendor(s). This will allow the user to connect over the Internet to the selected vendor(s) for authentication.
- Allowlist Domains - In addition to Facebook, Google, and Rainbow login, you can enter any Allowlist Domain to allow a user to connect to sites over the Internet without authentication. For example, a hotel may want to allow a guest to connect to their website without authentication. Enter the Allowlist Domain and click on the Add icon to allow access to the site. Repeat to add additional domains. Domains must be entered in Fully Qualified Domain Name (FQDN) format (e.g., www.marriot.com, www.bbc.com). IP Addresses and http/https prefixes should not be used.
Client Isolation: Allowed Contacts List
- Allowed list of devices for an isolated client - When Client Isolation is enabled for the client SSID or the Access Authentication Profile for the switch port to which the AP is connected, traffic between clients on the same AP in the SSID is blocked; client traffic can only go toward the default gateway. To identify the devices a client is allowed to contact when Client Isolation is enabled, enter the MAC address for each device. You can manually specify or copy and paste the device MAC address using any of the following formats:
- 00:80:0f:33:33:24
- 00-80-0f-33-33-24
- 00800f333324
- 008.00f.333.324
- 00800f.333324
- 00:d0:95* (trailing wildcard character "*" specifies all MAC addresses beginning with 00:d0:95) This wildcard format is particularly useful for entering a vendor OUI only and not the full MAC address for all the vendor devices.
Captive Portal Attributes
- Captive Portal Auth - To configure Captive Portal Authentication, select None, Internal, or External authentication and complete the required fields for the selected authentication type.
- None
- Redirect URL - Redirect URL is only used for ClearPass Servers. Make sure a ClearPass server exists on the system before entering the URL.
- Internal
- Captive Portal Profile - A Captive Portal Profile can be applied to AOS devices. Only one Captive Portal Profile is allowed per profile, but multiple profiles may use the same Captive Portal Profile. Select a Captive Portal Profile for the profile from the drop-down menu. You can also click the "Add New" link to go to the Captive Portal Profile Screen to create a new one. (Not supported on wireless devices and ignored when applied to those devices.)
- External
- Portal Server - The FQDN/IP address of the external captive portal server.
- Redirect URL - The redirect URL for the captive portal authentication.
- HTTPS Redirection - Specify whether the redirect portal page is using HTTPS protocol.
- AAA Server Profile - The AAA Server used for Captive Portal Authentication.
- Custom Profile - The External Captive Portal Config File used for communication between APs and the External Portal Server. The External Captive Portal Config File is configured on the AP Groups Screen in the AP Registration application.
Advanced
- DHCP Option 82 - Enables/Disabled the DHCP Option 82 Feature. If necessary, click on the link to go to the DHCP Option 82 Screen to configure the feature.
Cloning an Access Role Profile
You can quickly create an Access Role Profile by selecting a profile in the Access Role Profile List, clicking on the Clone button and modifying the profile to create a new one. Click on the Copy button to create the new profile.
Assigning an Access Role Profile
When you click the Apply To Devices button, the Access Role Profile Assignments Wizard appears. Complete the screens as described below, then click on the Apply button.
Select Devices
Configure the mapping method and select devices.
Configure the Mapping Method
You can map the Access Role Profile to a specific VLAN or service. Select a Mapping Method, then make a selection from the drop-down menu. Note that you can only use one mapping method for a profile.
- Map to VLAN - Maps the profile to a specific VLAN on network devices. Select a VLAN from the VLANs drop-down. For APs, you can map an Access Role Profile to untagged traffic. In the VLANs drop-down, select Untagged VLAN. Then click on the ADD button to select an AP Group(s) (the Devices ADD button will be grayed out). To map the same Access Role Profile to AOS Devices, you will have to repeat the process and specify a VLAN. Note that for Stellar APs, the VLAN ID must be between 1 and 4094 or "untagged". If any other value is configured, the device will ignore the VLAN configuration. Also note that for Stellar APs you can select a VLAN Pool, by entering multiple VLANs. You can enter VLANs as a range (e.g., 10-20), as individual VLANs (21, 23, 25), or both (10-20, 21,23, 25). Note that you can map an Access Role Profile to a dynamically-created VLAN on 6.x and 8.x Switches.
- Map to SPB - Maps the profile to an SPB Profile.
- Map to VXLAN - Maps the profile to a VXLAN Profile.
- Map to Static Service - Maps the profile to a Static Service.
- Map to Tunnel - Maps the profile to a Guest Tunnel (supported on OS6860, 6860E, OS6900-Q32/X72, OS9900, OS6560, OS6865 Switches).
- Map to VLAN and Tunnel - Maps the profile to a VLAN and a Tunnel, allowing VLAN tagging inside the GRE.
Dynamic VLAN Mapping
On 6.x Switches (running 6.7R08 and higher) and 8.x Switches (running 8.6R1 and higher) you can map an Access Role Profile to a dynamically-created VLAN. On 6.x Switches, you can map an Access Role Profile to a VLAN learned by a dynamic protocol (e.g., MVRP). The VLAN must be present on the switch. On 8.x Switches you can map an Access Role Profile to any VLAN even if the VLAN does not yet exist on the switch. The switch will create a UNP Dynamic VLAN. In both cases, the switch will decide whether it will permit the mapping.
Important Note: For dynamic VLAN mapping, you must first configure a Unified Access Global Configuration Setting with Global Dynamic UNP VLAN creation enabled, and assign that Global Configuration to network switches. Global Configurations are configured on the Unified Access Global Configuration Setting Screen (Unified Access - Unified Profile - Template - Global Configuration - Setting). See the Global Configuration Setting Screen online help for more information. You can also enable dynamic VLAN mapping on a device by editing a device on the Unified Access Unified Profile – Device Config - Global Configuration Setting Screen (Unified Access - Unified Profile – Device Config - Global Configuration - Setting). See the See the Device Config Global Configuration Setting Screen online help for more information.
Select Devices
After configuring the Mapping Method, click on the Devices ADD button and/or the AP Group ADD button to select devices. The device(s) will appear in the List of Selected Devices. If necessary, click on the Devices EDIT button and/or the AP Group EDIT button to add/remove devices from the list. See Common Errors When Assigning an Access Role Profile if you receive an error message when assigning a profile.
Note: If the Access Role Profile contains a Policy List, you must assign the profile to the same devices that are included in the Policies contained in the Policy List.
Note: You can also assign an Access Role Profile to a ClearPass Server. If a ClearPass Server is configured and connectivity established, the server will appear in the Device Selection Window in Blue.
Click on the Next button to configure a Period Policy.
Configure a Period Policy
You can specify the days and times during which a client can access devices. Select a Period Policy, then click on the Next button to configure a Location Policy.
Configure a Location Policy
You can specify the location of clients that can access devices. Select a Location Policy, then click on the Next button to review the configuration.
Review
Review the configuration and click on the Apply button to apply the policy to appendices Groups.
Common Errors When Assigning an Access Role Profile
The following common errors may be seen in the Results page when attempting to assign an Access Role Profile.Possible causes are provided for each.
Error Message |
Possible Cause(s) |
"Failed to apply Access Role Profile to VLAN ID 4094" |
- VLAN ID xx is not a standard VLAN.
|
"VLAN ID xx does not exist" |
- The VLAN specified must exist on the switch.
|
"VLAN ID xx is not a standard VLAN" |
- The specified VLAN should be a Standard VLAN.
|
Editing an Access Role Profile
Select the profile in the Access Role Profile List and click on the Edit icon to bring up the Edit Access Role Profile Screen. Edit the fields as described above then click on the Apply button to save the changes to the server. (Note that you cannot edit the Access Role Profile Name.) If the Access Role Profile has been applied to any devices, you must re-apply the profile to those devices. You can also go to the Device Config - Access Role Profile Screen to edit a profile on any device.
Note: The Default WLAN Profile is a built-in profile for AOS Switches to set up edge infrastructure for a WLAN. Only the Auth Flag, Mobile Tag Status, and Policy List fields can be modified. However, you can clone the profile to create a new profile.
Deleting an Access Role Profile
Select the profile in the Access Role Profile Screen and click on the Delete icon, then click OK at the confirmation prompt. This removes the profile from the server. If the profile has been assigned to any devices, go to the Device Config - Access Role Profile Screen to remove the profile from the device(s). Select the applicable device(s) in the Devices - Access Role Profile Table, click on the Delete icon, then click OK at the confirmation prompt.
Note: You cannot delete the Default WLAN Profile.