About Role Based Control

Applies To: Wi-Fi Cloud-managed Access Points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420)

Role Based Control enables you to restrict wireless network access to authorized users. Users are granted controlled access to wireless resources based on the roles assigned to them. For example, you can restrict users to specific VLANs, apply bandwidth controls, enforce network and application firewall rules, or redirect users to a portal based on their role profile.

Wi-Fi Cloud enables you to create custom role profiles and define access rules, including default Wi-Fi Cloud and custom vendor rules, or Google OU rules, to authorize wireless users. You can define various role profiles in Wi-Fi Cloud that specify the restrictions to be placed on the wireless user based on their assigned profile for the SSID.

Role-Based Control with RADIUS MAC Authentication

You can configure RADIUS MAC Authentication to assign roles to clients that fail MAC authentication (to restrict access or redirect the client), or you can assign roles both pre-authentication and post-authentication to enable the use of portals with RADIUS authentication. For example, you can assign a pre-authentication role that redirects a client to the portal for authentication to the RADIUS server. After the user successfully authenticates, the RADIUS server can use Change of Authorization (CoA) to assign a post-authenticaton role to the client. For more information, see Configure RADIUS MAC Authentication.

Define Role Profiles

Typically, you create role profiles that map to the roles that you have defined in your RADIUS server or Google OU. In a Role Profile, you can define a VLAN ID, Firewall rules, Application Firewall rules, per-user Bandwidth controls, and Redirection URLs. These features can be customized or the settings inherited from the SSID configuration.

You can associate one or more of these role profiles with specific VSA (Vendor Specific Attribute) rules or Google OU rules to enforce restrictions on clients to which the rule applies. To create and manage your Role Profiles, see Configure Role Profiles in Discover.

Configure Role Based Control

You can enforce role based control on wireless users from an SSID.

When a user connects to an SSID, the user is authenticated based on Google or RADIUS authentication, and then depending on the Role Based Control rule that matches the user role, the corresponding role profile is applied for the user session. If Google Device Authorization is enabled in the security settings for an SSID Profile, the OU of the authorized client device is matched against the OU rules specified in Role Based Control to decide on the settings that will be applied the client session. For more information, see Google Device Authorization.

To create Role Based Control rules, select a Google OU, 802.1x Default VSA, or 802.1x Custom VSA rule.

For VSA rules, make sure that the SSID security mode is set to WPA2 or WPA and WPA2 Mixed mode and 802.1X authentication is selected. The Default VSA is for Wi-Fi Cloud. You can use a custom vendor with the Custom VSA rule. A Custom VSA requires a Vendor ID and Attribute ID.

For Google OU rules, make sure that Secondary Authentication is enabled in the SSID security settings and Google Device Authorization is selected.

You cannot use a mix of Google OU rules with other VSA rules in the same SSID Profile.

In the Select Role drop-down list, specify how the role names must be matched against the role name defined in Google OU or a RADIUS server.

If you select Use Role Name, then you must select one or more Role Profiles from the Role List. The role name defined by the Google OU or the RADIUS server will be matched against the role names defined in the selected Role Profiles.
If you select Custom Role Name, then you must select a Role Profile from the Role List and specify the role name in the Enter Name field. This name is matched against the role names defined in the RADIUS server. For a Google OU rule, you must specify the role name in the Matching OU field, which will then be matched against the OUs defined in Google. If the role name matches then the select Role Profile is assigned to the client session.

When you use Google OU, the length of the Role Name in the Role Profile has a maximum of 32 characters.

The rules are compared in the displayed order until the first match. You can reorder the rules by dragging and moving an entry. If no match is found, then the corresponding configuration in the SSID Profile will be applied.

Match Role Names

If you select Use Role Name, then an exact match of role names is required. In this case the entire OU returned from Google or the role returned by the VSA must match with the Role Name defined in the Role Profiles. A drop-down list with multiple check boxes is displayed for existing roles present on server and the Matching OU field will be disabled. This enables you to select multiple roles.

If you select Use Custom Role, then any portion of the OU returned from Google or the role from VSA contains the string.

From the Role list, select one role and provide a Matching OU for the selected role. The Matching OU can have maximum of 1024 characters.

You can enter a matching pattern in the Matching OU field. For example, if you type /*/Elementary School/*/Student, this will match /SJUSD/Elementary School/Public Elementary/Student.

© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.