831| Behavior and Defaults DellPowerConnect W- Series ArubaOS 6.2 | UserGuide
PredefinedRole Description
session-acl https-acl
session-acl dhcp-acl
session-acl icmp-acl
session-acl dns-acl
ipv6 session-acl v6-http-acl
ipv6 session-acl v6-https-acl
ipv6 session-acl v6-dhcp-acl
ipv6 session-acl v6-icmp-acl
ipv6 session-acl v6-dns-acl
DHCP,ICMP , and DNS for theguest user. To increase security, a
"deny"rule for internal network destinations could be added at the
beginning.
user-role guest-logon
captive-portal default
session-acl logon-control
session-acl captiveportal
Thisrol e is usedas the pre-authentication role for guest SSIDs. It
allows control trafficsuch as DNS, DHCP, and ICMP , and also
enablescaptive portal.
user-role <ssid>-guest-logon
captive-portal default
session-acl logon-control
session-acl captiveportal
Thisrol e is only generatedw hen creating a new WLAN using the
WLANWi zard. The WLAN Wizard creates this role when captive
portali senabl ed. This is the initial role that a guest will be placed in
prior tocaptive portal authentication. By using a different guest logon
role foreach S SID,i ti s possible toenabl e multiple captive portal
profilesw ith different customization.
user-role stateful-dot1x Thisi s an internal role used for Stateful 802.1x. It should not be
edited.
user-role authenticated
session-acl allowall
ipv6 session-acl v6-allowall
Thisi sa default role that can be used for authenticated users. It
permitsal l IPv4 and IPv6 trafficfor users w ho are part of this role.
user-role logon
session-acl logon-control
session-acl captiveportal
session-acl vpnlogon
ipv6 session-acl v6-logon-control
Thisi sa system role that is normally applied to a user prior to
authentication.Thi sappl ies tow ired usersand non-802.1x wireless
users.
Therol e allows certain control protocols such as DNS, DHCP, and
ICMP, and also enables captive portal and VPN termination/pass
through.The l ogon role should be edited to provide only therequi red
servicesto a pre-authenticated user. For example, VPN pass through
shouldbe disabled if it is not needed.
user-role <ssid>-logon
session-acl control
session-acl captiveportal
session-acl vpnlogon
Thisrol e is only generatedw hen creating a new WLAN using the
WLANWi zard. The WLAN Wizard creates this role when captive
portali s enabled and a PEFNG license is installed. This is the initial
role thata cli entw ill be placed in prior to captive portal
authentication.By using a different logon role for each SSID, it is
possibleto enable m ultiple captive portal profiles with different
customization.
user-role <ssid>-captiveportal-
profile
Whenutil izing the WLAN Wizard and you do not have a PEF NG
installed and youare configuri ng an Internalor Guest WLAN with
captiveportal enabled, the controller creates an implicit user role
with thesame nam e asthe captive portal profile, <ssid>-
captiveportal-profile.
Thisi mplicit user role allows only DNS and DHCP traffic between the
client and networkand di rectsall HTTP or HTTPS requests tothe
captiveportal. You cannot directly modi fythe impl icit user role or its
rules. Uponauthentication, captive portal cli entsare all owed full
accessto their assigned VLAN. Once the WLAN configuration is
pushedto the controller, the WLAN wizard w ill associate the new
role with the initial user role that you specifyin the AAA profile. This
role will not be visible to the user in the WLAN wizard.