user-role

Role name

Type of ACL to be applied:

eth:Ethertype ACL, configured with theip access-list ethcommand.

mac:MAC ACL, configured with theip access-list maccommand.

session:Session ACL, configured with theip access-list sessioncommand.

Name of the configured ACL.

(Optional) AP group to which this ACL applies.

(Optional) Position of this ACL relative to other ACLs that you can configure for the user role. 1 is the top.

Default:(last)

Name of a bandwidth contract or rate limiting policy configured with theaaa bandwidth-contractcommand. The bandwidth contract must be applied to either downstream or upstream traffic.

Name of the application bandwidth contract configured for the user role. The bandwidth contract must be applied to either downstream or upstream traffic.

NOTE:For a complete list of supported applications, issue the commandshow dpi application all.

Name of the application category bandwidth contract configured for the user role. The bandwidth contract must be applied to either downstream or upstream traffic.

NOTE:For a complete list of supported applications, issue the commandshow dpi application category all.

Apply a bandwidth conract to the specified web content category or reputation level. Bandwidth contracts can be applied to user-defined web content categories created using the web-cc command. The five web content reputation levels are predefined inArubaOS.

NOTE:bandwidth contracts applied to a web content category or reputation will not be enforced unless web content classification is enabled using thefirewall web-content-classificationcommand.

Range:Available reputation categories are:

high-risk

low-risk

moderate-risk

suspicious

trustworthy

Excludes an application or application category from being configured as a bandwidth contract.

Applies the bandwidth contract to traffic from thecontrollerto the client.

Specifies that bandwidth contract is assigned on a per-user basis instead of a per-role basis. For example, if two users are active on the network and both are part of the same role with a 500 Kbps bandwidth contract, then each user is able to use up to 500 Kbps.

Default:(per role)

Applies the bandwidth contract to traffic from the client to thecontroller.

Name of the captive portal profile configured with theaaa authentication captive-portalcommand.

如果禁用,半径/ng is done for an authenticated users irrespective of the captive-portal profile in the role of an authenticated user. If enabled, accounting is not done as long as the user's role has a captive portal profile on it. Accounting will start when Auth/XML-Add/CoA changes the role of an authenticated user to a role which doesn't have captive portal profile.

Default:Enabled

If VPN is used as an access method, name of the VPN dialer configured with thevpn-dialercommand. The user can login using captive portal and download the dialer. The dialer is a Windows application that configures the VPN client.

Role specific DPI configuration.

禁用特定DPI配置作用。

Maximum number of datapath sessions per user in this role.

Range:0-65535

Default:65535

Negates any configured parameter.

Enables SDN for the user role.

Default:Enabled

If VPN is used as an access method, specifies the IP address pool from which the user’s IP address is assigned:

l2tp: When a user negotiates an L2TP or IPsec session, specifies an address pool configured with theip local poolcommand.

pptp: When a user negotiates a PPTP session, specifies an address pool configured with thepptp ip local poolcommand.

via-dhcp:Defines an external DHCP server address instead of internal L2TP pool and themanaged devicegets the IP address from an external DHCP server.

NOTE:L2TP pool and DHCP pool configuration in a role are mutually exclusive.

Name of the L2TP or PPTP or DHCPpool to be applied.

Applies a QOS profile to the user role.

Interval, in minutes or seconds, after which the client is required to reauthenticate.

Range:0-4096 in minutes

0-245760 in seconds

Default:0(disabled)

If enabled, a user is forced to do MAC-based authentication every time the user connects to the network.

Default:disabled

Apply Robust Age-out mechanism on wired passive clients.

Default:Disabled.

NOTE:This feature impacts system load and performance. Enable this mechanism for a limited number of clients only.

Applies an SSO profile to the user role.

Applies a stateful Kerberos profile to the user role.

Apply stateful NTLM authentication to the specified user role

Applies a VIA connection profile to the user role.

Identifies the VLAN ID or VLAN name to which the user role is mapped. This parameters works only when using Layer-2 authentication such as 802.1X or MAC address, ESSID, or encryption type role mapping because these authentications occur before an IP address is assigned. If a user authenticates using a Layer-3 mechanism such as VPN or captive portal this parameter has no effect.

NOTE:VLAN IDs and VLAN names cannot be listed together.

Applies a VOIP profile to the user role.

Disable web content classification for this user role. User role bandwidth contracts associated with web content classification categories and reputation types will not enforced unless web content classification is enabled using thefirewall web-content-classificationcommand.