default-role

Assigns a default role to a wireless client that fails to match any of the user-defined roles

When a wireless client accesses a network, the client‘s details, retrieved from the LDAP server, are matched against all user-defined roles within the role policy. If the client fails to match any of these user-defined role filters, the client is assigned the default role. The action taken (permit or deny access) is determined by the IP and/or MAC ACL associated with the default role.

Supported on the following devices:

Access Points: AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543, AP8533.
Service Platforms: NX5500, NX7500, NX9500, NX9600
Virtual Platforms: CX9000, VX9000

Syntax

default-role use [ip-access-list|ipv6-access-list|mac-access-list]

default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] 
<IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>

Parameters

default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out] 
<IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>


default-role use	Enables default role configuration. This role is applied to a wireless client not matching any of the user-defined roles. Use – Associates an IP, IPv6, or MAC access list with the default role
[ip-access-list\| ipv6-access-list\| mac-access-list] [in\|out] <IP/IPv6/MAC-ACCESS-LIST-NAME>	Associates an IP access list, IPv6 access list, or a MAC access list with this default role in – Applies the rule (IP, IPv6, or MAC) to incoming packets out – Applies the rule (IP, IPv6, or MAC) to outgoing packets IP and MAC ACLs act as firewalls by blocking and/or permitting data traffic in both directions (inbound and outbound) within a managed network. IP ACLs use IP addresses for matching operations. Whereas, MAC ACLs use MAC addresses for matching operations, In case of a match (i.e. if a packet is received from or is destined for a specified IP or MAC address), an action is taken. This action is a typical allow, deny or mark designation to controller packet traffic. For more information on ACLs, see Access-List Policy. <IP/IPv6/MAC-ACCESS-LIST-NAME> – Specify the access list name. The ACL applied determines the action applied to a client assigned the default role.
precedence <1-100>	The following keyword is common to the all of the above parameters: precedence – Assigns a precedence value to the ACL identified in the previous step. <1-100> – Specify a precedence from 1 - 100. ACLs are applied in increasing order of their precedence. Rules with lower precedence are given priority.

Examples

nx9500-6C8809(config-role-policy-test)#default-role use ip-access-list in test precedence 1

nx9500-6C8809(config-role-policy-test)#show context
role-policy test
 default-role use ip-access-list in test precedence 1
nx9500-6C8809(config-role-policy-test)#

Related Commands


no (role-policy-config-mode-command)	Removes or resets the default role configuration