Dell PowerConnect W-Airwave W-Airwave 7.2 Configuration Guide - Page 125

Security > User Roles A client is assigned a user role by one of several methods. A user role assigned by one method may take precedence over a user role assigned by a different method. The methods of assigning user roles are, from lowest to highest precedence: 1. The initial user role for unauthenticated clients is configured in the AAA profile for a virtual AP. 2. The user role can be derived from user attributes upon the client's association with an AP (this is known as a user-derived role). You can configure rules that assign a user role to clients that match a certain set of criteria. For example, you can configure a rule to assign the role "VoIP-Phone" to any client that has a MAC address that starts with bytes xx:yy:zz. User-derivation rules are executed before client authentication. 3. The user role can be the default user role configured for an authentication method, such as 802.1x or VPN. For each authentication method, you can configure a default role for clients who are successfully authenticated using that method. 4. The user role can be derived from attributes returned by the authentication server and certain client attributes (this is known as a server-derived role). If the client is authenticated via an authentication server, the user role for the client can be based on one or more attributes returned by the server during authentication, or on client attributes such as SSID (even if the attribute is not returned by the server). Server-derivation rules are executed after client authentication. 5. The user role can be derived from Dell PowerConnect W Vendor-Specific Attributes (VSA) for RADIUS server authentication. A role derived from an Dell PowerConnect W VSA takes precedence over any other user roles. In the Dell PowerConnect W user-centric network, the user role of a wireless client determines its privileges, including the priority that every type of traffic to or from the client receives in the wireless network. Thus, QoS for voice applications is configured when you configure firewall roles and policies. In an Dell PowerConnect W system, you can configure roles for clients that use mostly data traffic, such as laptop computers, and roles for clients that use mostly voice traffic, such as VoIP phones. Although there are different ways for a client to derive a user role, in most cases the clients using data traffic will be assigned a role after they are authenticated through a method such as 802.1x, VPN, or captive portal. The user role for VoIP phones can be derived from the OUI of their MAC addresses or the SSID to which they associate. This user role will typically be configured to have access allowed only for the voice protocol being used (for example, SIP or SVP). NOTE: You must install the Policy Enforcement Firewall license in the controller. This page displays the current user roles in Dell PowerConnect W Configuration and where they are used. This page contains the columns described in Table 55: Table 55 Security > User Roles Page Contents Column Description Name Name of the user role. AAA Displays the AAA profile or profiles that are referenced by the user role. For additional information, refer to "Profiles > AAA" on page 53. Captive Portal Profile Displays the Captive Portal Auth profiles, if any, that are referenced by the user role. For additional information, refer to "Profiles > AAA > Captive Portal Auth" on page 61. 802.1X Auth Displays the 802.1X Auth profiles that are referenced by the user role. For additional information, refer to "Profiles > Advanced Authentication" on page 59. Dell PowerConnect W AirWave 7.2 | Configuration Guide Dell PowerConnect W Configuration Reference | 125