How to Create a Role

A role is a policy profile consisting of a set of network access services that you can apply at various access points in a policy-enabled network. A port takes on a user's role when the user authenticates.

There are two ways to create a role:

  • Using the Role Wizard: The Role Wizard is a series of windows that leads you through all the steps for creating a role, including the optional selection and enabling of default access control (default VLAN) and/or class of service for the role, as well as specifying the existing services and service groups that will apply to the role. You can also create new services in the Role Wizard, which encompasses the Service Wizard.  If you want to associate a role with a default access control and/or class of service only, without any services, it may be handier to create the role name with the Create a Role menu option, and use the role General tab to set the defaults.
  • Using the Role Tabs: Creating a role using the role tabs consists of creating a name for the role with the Create Role menu option, then defining its characteristics (default class of service, default access control, and/or services) using the role's right-panel tabs. It accomplishes the same things as the Role Wizard, but enables you to do only those parts of the procedure you want to do, when you want to do them. You might also use this method if you are creating a role for which there is default class of service and/or access control, but no services.

If you want to change the characteristics of a role, you can select the role in the left panel and use the right-panel tabs to modify it.

Instructions on:

Using the Role Wizard

The Role Wizard is a series of windows that leads you through all the steps for creating a role, including the optional selection and enabling of default access control and/or class of service for the role, as well as specifying the existing services and service groups that will apply to the role.

  1. In the Policy Manager left panel, click the Roles tab.
  2. Right-click on the Roles folder and select Role Wizard.
  3. In the Name window, enter the name of the role. The name can be up to 64 characters in length, and special characters are allowed, with the exception of colons (:) and semicolons (;).  Duplicate names are not allowed, regardless of case. For example, if you already have a role "Faculty" and you attempt to name the new role "Faculty" or "faculty," Policy Manager will create the role, but with the name "New Role," or "New Role(n)" (where "n" is the sequence number, if there is more than one "New Role"). You can then rename the new role. After entering the name, click Next.
  4. In the Default TCI Overwrite window, enable or disable TCI Overwrite functionality for the role. Enabling TCI Overwrite allows the VLAN (access control) and class of service characteristics defined in this role or any of its rules to overwrite the VLAN or class of service (CoS) tag in a received packet if that packet has already been tagged with VLAN or CoS information. If TCI Overwrite is not enabled, tagged packets will egress using the TCI data they already contain. You can also enable TCI Overwrite on a per-port basis in the Port Properties General Tab, as well as on a per-rule basis in the Rule General Tab. Click Next.
  5. In the Default Access Control window, you can assign default access control to the role, if desired. Default access control will be applied to traffic not identified specifically by the set of access services contained in the role. Choose one of the following options, then click Next.
    • None - No default access control specified.
    • Permit (Using Existing Port VLAN) - Allows traffic to be forwarded with the port's assigned VID.
    • Deny Traffic - Traffic will be automatically discarded.
    • Contain to VLAN - If you want to contain traffic for this role, select this option, then select the appropriate VLAN from the list or create a new one, if desired.

    Click Next.
  6. In the Default Class of Service window, you can assign a default class of service to the role, if desired. Select the desired class of service in the list. If the priority for the class of service includes a priority-based rate limit, this will be noted in the class of service name (see How to Create a Class of Service for more information). Click Next.


    		NOTES:If you select a CoS that is associated with a ToS/DSCP value, the ToS/DSCP value will be ignored. This is because ToS/DSCP rewrite works only for certain IP ToS classification rules, not as a role default. See ToS/DSCP Rewrite for more information.

    Once a rate limit is applied to a port, that port's bandwidth will be rate limited, even if the default or authenticated role that applied the rate limit is no longer associated with the port.
  7. In the Default Actions - Acct/Sec/Mirror window, you can specify the default accounting and security actions for the role. These actions are applied if the traffic originating from users assigned to this role does not match any rules that explicitly prohibit these actions. Select the desired actions and click Next.
    • System Log - When this option is enabled, a syslog message is generated as long as no matching rules specify that sending a syslog message is prohibited (that is, the rule's system log action is set to "Prohibited" on the Rule General tab). When the option is disabled, the system log setting is ignored.
    • Audit Trap - When this option is enabled, an audit trap is generated as long no matching rules specify that sending an audit trap is prohibited (that is, the rule's audit trap action is set to "Prohibited" on the Rule General tab). When the option is disabled, the audit trap setting is ignored.
    • Disable Port - When this option is enabled, the port is disabled as long no matching rules specify that disabling the port is prohibited (that is, the rule's disable port action is set to "Prohibited" on the Rule General tab). Ports that have been disabled due to this option are displayed in the device Role/Rule tab. When the option is disabled, the disable port setting is ignored.
    • Traffic Mirror - Use the drop-down list to specify port groups where mirrored traffic will be sent for monitoring and analysis. You will see an option below to mirror only the first (N) packets of a flow. This option is intended for use when mirroring traffic to an Application Analytics engine. The Application Analytics engine only needs the initial packets of a flow to properly identify the traffic, and setting this option will reduce network traffic overhead for the switch and engine. By default this number is set to 10, but can be changed by clicking on the Edit button . Note that the value you set is used by all mirror actions in use in the current domain.
  8. In the Role Services window, select the services you want to apply to this role. If you want to create a new service to add to the list before selecting, click New. Click Finish.

     NOTE:Policy Manager checks for rule conflicts when more than one service is added. See Conflict Checking for more information.
  9. Enforce to write the new information to the devices.

Now that you have created the role, you can:

Using the Role Tabs

Creating a role using the role tabs consists of creating a name for the role, then using the right-panel role tabs to specify the characteristics of the role (default class of service, default access control, and/or services).

  1. In the Policy Manager left panel, select the Roles tab.
  2. Right-click the Roles folder, and select Create Role.
  3. Type the role name in the highlighted box.  The name can be up to 64 characters in length, and special characters are allowed, with the exception of colons (:) and semicolons (;).  Duplicate names are not allowed, regardless of case.  For example, if you already have a role "Faculty" and you attempt to name the new role "Faculty" or "faculty," Policy Manager will create the role, but with the name "New Role," or "New Role(n)" (where "n" is the sequence number, if there is more than one "New Role"). You can then rename the new role. Press Enter after you've entered the name. (If you don't press Enter, the name will remain "New Role.")  
  4. Select the role in the left panel, and the General tab in the right panel. Use the General tab to add a role description, enable TCI Overwrite, and set the role's default actions (including access control and class of service).
  5. In the Services section in the General tab, click the Add/Remove Services button to add services to the role. This opens the role Add/Remove Services window.

     NOTE:Policy Manager checks for rule conflicts when more than one service is added. See Conflict Checking for more information.
  6. To add a VLAN to the Role's Egress list, select the role and use the VLAN Egress tab in the right panel.
  7. To configure MAC, IP, and VLAN to role mapping lists for the role, select the role and use the Mappings tab in the right panel.
  8. Now that you have created the role, you can:
  9. Enforce to write the new information to the devices.

Modifying a Role

Once you've created a role, you can change its characteristics by selecting the role in the Policy Manager's left panel and using the associated tabs in the right panel.

Instructions on:

Adding Services to Roles

There are two ways to add services to roles:

  1. Select the left panel Roles tab and expand the Roles folder. Select the role to which you want to add services, then select the General tab in the right panel.
  2. Click Add/Remove Services. This opens the Add/Remove Services window.
  3. Make sure the role to which you wish to add services is displayed in the Role selection box.
  4. In the Groups and Services panel, select the services and/or service groups you wish to add to the role, and click Add. To remove services, select them in the Selected Services panel and click Remove.

     NOTE:Policy Manager checks for rule conflicts when more than one service is added. See Conflict Checking for more information.
  5. If you wish, you can select another role, and add or remove services from it.
  6. Click OK.
  7. Enforce to write the new information to the devices.

Removing Services from a Role

  1. Select the left panel Roles tab and expand the Roles folder.  
  2. Select the role from which you want to remove services, then select the General tab in the right panel.
  3. Click Add/Remove Services. This opens the Add/Remove Services window.
  4. Make sure the role from which you wish to remove services is displayed in the Role selection box.
  5. In the Selected Services panel, select the services and/or service groups you wish to remove from the role, and click Remove. To add services, select them in the Groups and Services panel and click Add.
  6. If you wish, you can select another role, and remove services from or add services to it.
  7. Click OK.
  8. Enforce to write the new information to the devices.

Modifying a Role's Default Class of Service

Use the role's General tab to change its default class of service settings. Be sure to enforce to write the new information to the devices.

Modifying a Role's Default Access Control

Use the role's General tab to change its default access control. Be sure to enforce to write the new information to the devices.

Modifying a Role's Description

You can edit the description for the role on the role's General tab. Click Save to save the change to the database.

Modifying a Role's Ports

You can view the ports for which a role is the default role on the role's Ports tab. You can then select a port and use the Port Propertiesbutton to open the Port Properties window, where you can change the default role for a port or make changes to the port settings themselves.

  1. In the Policy Manager left panel, click the Roles tab.
  2. Expand the Roles folder if necessary, and select the role whose ports you want to view.
  3. In the right panel, select the Ports tab.  
  4. Click Retrieve to update the table with the most current information.
  5. Select a port to which you want to make changes.
  6. Click Port Properties. This takes you to the Port Properties window where you can:
    • Modify the default role for the port: Use the General tab (Role Status sub-tab).
  7. Enforce to write the new information to the devices.

Deleting a Role

  1. Select the left panel Roles tab and expand the Roles folder.
  2. Right-click the role you want to delete, and select Delete.
  3. Click Yes to confirm. After a few seconds, a message appears reminding you of other tasks to perform if you are deleting a role.
  4. Read the reminder, then click OK.
  5. Click OK to clear the confirmation message.
  6. Click Enforce on the toolbar, review the effects of enforcing in the Enforce Preview window (if it is enabled), then click Enforce on that window.
  7. Make sure you do the following, if they apply:

Related Information

For information on related concepts:

For information on related tasks:

For information on related windows:

top