Assigns a default role to a wireless client that fails to match any of the user-defined roles

When a wireless client accesses a network, the client‘s details, retrieved from the LDAP server, are matched against all user-defined roles within the role policy. If the client fails to match any of these user-defined role filters, the client is assigned the default role. The action taken (permit or deny access) is determined by the IP and/or MAC ACL associated with the default role.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000


default-role use [ip-access-list|ipv6-access-list|mac-access-list]
default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] 
<IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>


default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] 
<IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>

default-role use

Enables default role configuration. This role is applied to a wireless client not matching any of the user-defined roles.

  • Use – Associates an IP, IPv6, or MAC access list with the default role

[ip-access-list| ipv6-access-list| mac-access-list] [in|out] <IP/IPv6/MAC-ACCESS-LIST-NAME>

Associates an IP access list, IPv6 access list, or a MAC access list with this default role

  • in – Applies the rule (IP, IPv6, or MAC) to incoming packets
  • out – Applies the rule (IP, IPv6, or MAC) to outgoing packets

IP and MAC ACLs act as firewalls by blocking and/or permitting data traffic in both directions (inbound and outbound) within a managed network. IP ACLs use IP addresses for matching operations. Whereas, MAC ACLs use MAC addresses for matching operations, In case of a match (i.e. if a packet is received from or is destined for a specified IP or MAC address), an action is taken. This action is a typical allow, deny or mark designation to controller packet traffic. For more information on ACLs, see Access-List Policy.

  • <IP/IPv6/MAC-ACCESS-LIST-NAME> – Specify the access list name.

The ACL applied determines the action applied to a client assigned the default role.

precedence <1-100>

The following keyword is common to the all of the above parameters:
  • precedence – Assigns a precedence value to the ACL identified in the previous step.
    • <1-100> – Specify a precedence from 1 - 100.

ACLs are applied in increasing order of their precedence. Rules with lower precedence are given priority.


nx9500-6C8809(config-role-policy-test)#default-role use ip-access-list in test precedence 1
nx9500-6C8809(config-role-policy-test)#show context
role-policy test
 default-role use ip-access-list in test precedence 1

Related Commands

no (role-policy-config-mode-command)

Removes or resets the default role configuration