Role Precedence and Priority

Roles are evaluated for identities in the following sequence:

  1. The blacklist role is searched for the identity. If the identity is in the blacklist, the identity is denied access and role evaluation stops.

  2. The whitelist role is searched for the identity. If the identity is in the whitelist, the identity is allowed access and role evaluation stops.

  3. A local user-defined role is searched for the identity. If the identity is mapped to a local user-defined role, the identity is allowed access and role evaluation stops for all unknown/LLDP (Link Layer Discovery Protocol) users. For Kerberos and network login users (except those authenticated through the local network login database), a query is sent to an LDAP server with the user attributes. If the Kerberos and network login users (except those authenticated through the local network login database) do not map to any local user-defined role , the identity is placed in authenticated role.

    Note

    Note

    The LDAP query can be disabled for specific types of network login users, and the LDAP query is disabled for locally authenticated network login identities.
  4. When the switch receives LDAP attributes for an identity, the software evaluates the user-defined roles. If one or more user-defined roles match the identity attributes, and if those roles have a higher priority (lower numerical value) than the current role applied to the identity, the policies for the current role are removed and the policies for the user-defined role with the highest priority are applied.

    Note

    Note

    To support a change from the one role to another, the role priority for the new role must be higher than the current role.
  5. Authenticated identities that cannot be placed in a user-defined role remain assigned to the authenticated role.

  6. The unauthenticated role is applied to all identities that do not match any other roles.