You can define different types of role profiles to effectively manage and control access to your wireless networks. Use these role profiles with the Role Based Control feature for an SSID Profile. For more information, see Role Based Control.
In a Role Profile, you can define a VLAN ID, firewall rules, application firewall rules, per-user bandwidth controls, and redirection URLs. These features can be customized or the settings inherited from the SSID configuration.
Create Role Profile
To create a role profile:
- Select Configuration > Device Configuration > Role Profiles.
- Click Add Role Profile.
- In the Profile Name text box, type a name for this role profile. You can use the same role name that you have defined in your RADIUS server for easier mapping.
- In the Role text box, type the name of the role you want to define.
- To inherit the role attributes from the SSID profile, select Inherit From SSID.
- Configure the VLAN, Firewall, Bandwidth, and Redirection sections of the profile.
- Click Save.
Inherit from SSID
All of the configuration items in the Role Profile are also available in the SSID profile and apply to users that connect to the SSID. You can choose to inherit the configurations from the SSID profile for one or more of these settings, if you do not want to enforce an alternate setting.
For example, if you have set the firewall rules in the SSID profile and want the same to be applied to all users, then you can select this option in the role profile and you do not need to configure the firewall rules in the role profile.
If you do not select the Inherit from SSID option, and do not configure one or more of the settings in the Role Profile, these settings will not be enforced on users, even if the corresponding settings are configured in the SSID Profile.
Type the VLAN ID for this role profile. The VLAN ID set in the role profile overrides the configured SSID VLAN ID. If you have not selected Inherit from SSID, then you must enable VLAN and specify one or more VLAN IDs.
If you do not configure this setting in the Role Profile, then you must select the Inherit from SSID option.
The VLAN ID range is between 0 to 4094. To map to the untagged VLAN on the switch port, type 0 as the VLAN ID, even if the VLAN ID assigned to the untagged VLAN on the switch is assigned a different ID.
The role profile firewall rules override the configured SSID firewall rules.
Enable or disable per user bandwidth controls for this role profile. For more information, see Traffic Management Settings.
The role profile Bandwidth controls override the configured SSID bandwidth controls.
If you configure Bandwidth Control in the role profile. you must select the Enable per user bandwidth control option in the Traffic Shaping & QoS section of the SSID Profile.
You can configure a redirection URL for a role profile. Clients that are assigned the role profile are redirected to the configured portal URL. All other network access is blocked except for sites configured in the Walled Garden settings. The redirect URL web page can provide more details to the Wi-Fi user about the network restrictions enforced on their session.
Select Enable HTTPS Redirection to securely redirect a user to the portal when the user tries to get access to an HTTPS site. If HTTPS Redirection is not enabled, the client is not redirected to the portal if they browse to an HTTPS site. Type the organization details (Common Name, Organization, and Organization Unit) to use for HTTPS redirection purposes.
Precedence for Role Profile and SSID Profile Settings
Based on the SSID Profile and Role Profile configurations, the following table shows the precedence for each setting if a role profile is applied on the user.
|Configuration||SSID Profile||Role Profile||Inherit from SSID||Precedence|
|Bandwidth Control||Yes/No||Yes||Yes/No||Role Profile|
|Bandwidth Control||Yes||No||Yes||SSID Profile|
|Bandwidth Control||Yes||Yes||Yes||Role Profile / SSID Profile|
|Bandwidth Control||Yes||Yes/No||No||Role Profile|
|Firewall Rules||Yes/No||Yes||Yes/No||Role Profile|
|Firewall Rules||Yes||No||Yes||SSID Profile|
|Firewall Rules||Yes||Yes||Yes||Role Profile / SSID Profile|
|Firewall Rules||Yes||Yes/No||No||Role Profile|
- If no VLANs are configured in the SSID, the default value of 0 indicates an untagged VLAN is set.
- If Inherit from SSID is not enabled in the role profile, then VLAN settings must be configured in the role profile.
- In Bandwidth Control, you can set the upload and download bandwidth. If any of these values are not set it the Role Profile, then the corresponding value configured in the SSID Profile is applied to the user session.
- In Bandwidth Control, you can set the upload and download bandwidth. If any of these values are not set in the Role Profile, then only values defined in the Role Profile are applied to the user session. Any corresponding values defined in the SSID Profile are ignored.
- In Firewall Rules, you can enable and configure L3 and application firewall rules. If either of the rules is not configured in the Role Profile, then the corresponding configuration in the SSID Profile is applied to the user session.
- In Firewall Rules, you can enable and configure L3 and application firewall rules. If either of the rules is not configured in the Role Profile, then only the firewall rules defined in the Role Profile are applied to the user session. Any firewall rule defined in the SSID Profile is not applied to the user session.
- The Redirection setting in the Role Profile maps to the BYOD or Captive Portal configuration in the SSID Profile. You can configure either BYOD or Captive Portal settings in an SSID Profile, not both. If Redirection is not configured and Inherit from SSID is selected in the Role Profile, then any BYOD or Captive Portal configuration defined in the SSID Profile is applied to the user session.