JavaScript is disabled

Some parts of the site utilize JavaScript for enhanced delivery of content, please enable JavaScript and refresh this page to see all content.

Management and Configuration

An overview of how roles can be configured and managed in AP and gateway configuration groups within Central.

4 minute read

Role management and configuration in Central is separated into two management functions. The first management function involves role creation or removal which can be performed in different areas within the Central UI depending on the role type:

Default roles – Are supported on APs and gateways. They are added or removed to AP and gateway configuration groups with their parent profile. Default roles cannot be manually created or removed.
User defined roles – Are supported on APs and gateways. They are added or removed using either the profile creation workflow or are manually added or removed directly within each AP or gateway configuration group.
Global client role – Are added or removed globally within a Central instance then propagated to gateways and switches.

As roles are policy and configuration containers, the second management function involves adding, removing, or modifying network access policies and attributes for each role. For default and user defined roles, the forwarding mode selected for a profile will influence where role management can be performed:

Bridge forwarding – Network access policies and attributes can be configured and managed using the profile creation workflow or by directly modifying each role within an AP configuration group.
Mixed or tunnel forwarding – Network access policies and attributes are configured and managed directly per AP and gateway configuration group. This recent change permits different network access policies and attributes to be assigned to a role on APs and gateways.

Role to role permission management and group policy identifier configuration for global client roles is performed globally within each Central instance. For global client roles that are propagated to mobility gateways, additional network access policies and attributes are configured and managed directly within each gateway configuration group.

Profile creation workflow

The profile creation workflow provides a convenient way to configure default and user defined roles as part of an intuitive workflow. Roles can be added and removed without requiring the admin to exit the profile workflow. The access slider in the workflow determines the level of role configuration that is exposed:

Unrestricted – No role configuration is exposed within the workflow.
Network Based – Network access permissions and attributes can be configured and modified for the default role only.
Role Based – Full role configuration is exposed.

For bridge forwarding profiles, roles can be added, removed, and configured using the workflow. When Role Based access is selected, adding, editing, or removing user defined roles is possible.

Bridge profile role configuration within the workflow.

Note

The current state of the slider in the user interface is dependent on the current configuration of the WLAN profile and the associated default user role.

Default is Unrestricted.
Setting access control policy within the default user role other than Allow any to all destinations will result in the slider showing Network Based.
Creating any assignment rules will result in the slider showing Role Based.
The current state of the slider has no impact on the ability of the access point to utilize or assign roles returned by RADIUS or Central NAC.

For mixed and tunnel forwarding profiles, roles can be added and removed using the profile creation workflow, but policies cannot be configured. User defined roles added or removed using the workflow are added or removed from their respective AP and gateway configuration groups. Note that network access policies and attributes are no longer configurable using the profile creation workflow for mixed and tunnel forwarding profiles and must be manually configured in the respective AP and gateway configuration groups. A warning is displayed in theconfiguration workflow advising of this requirement.

Mixed / tunnel profile role configuration within the profile creation workflow

Configuration groups

User defined roles can be added, removed, and configured directly per AP and gateway configuration group using the Central UI. The admin can configure network access permissions and attributes for existing roles or add, delete, and configure user defined roles. The UI also offers a convenient way to pre-configure user defined roles, network access permissions and attributes prior to creating profiles.

For AP configuration groups, default and user defined roles can be configured and managed under Security > Roles. User defined roles can be added, removed, or configured, but default roles can only be configured and not removed. Default roles can only be removed by removing the parent profile.

Each role is configured by selecting a role from the list which presents the network access policies and attributes that are configured for the selected role. An example of role management within an AP configuration group is depicted below.

AP group role configuration and management.

For gateway configuration groups, default and user defined roles can be configured and managed under Security > Roles. The role table lists all the roles configured in the gateway configuration group which includes predefined roles, default roles, user defined roles, and global client roles. Global client roles are identified with a Global “Yes” flag.

Each role is configured by selecting a role in the table which displays an additional table that presents the network access policies and attributes that are assigned to the selected role.

Gateway group role configuration and management.

Feedback

Was this page helpful?

Glad to hear it!

Sorry to hear that.

Last modified: February 4, 2025 (aaecc87)