Authenticated and Unauthenticated Roles

The identity management feature supports two default roles—authenticated and unauthenticated. No default rules or policies are configured for these roles, but you can add rules or policies to these roles.

Authenticated identities are known identities that meet the following requirements:
  • Are not included in the blacklist or whitelist.

  • Do not meet the match criteria for any user-defined roles.

  • Cannot meet the match criteria for any user-defined role with LDAP attributes because no LDAP server is available or because LDAP queries are disabled.

  • Are detected either through network login (using any of the network login methods) or through Kerberos snooping.

The unauthenticated role applies to all identities that do not match any other default or user-defined role.

For example, the following identities are placed in the unauthenticated role:
  • A device detected by LLDP (Link Layer Discovery Protocol) that has not authenticated through network login and does not match any other default or user-defined role.

  • A user who does not successfully log in using Kerberos login and does not match any other default or user-defined role.

  • A device discovered through IP ARP or DHCP (Dynamic Host Configuration Protocol) snooping that does not match any other default or user-defined role.

  • Any identity classified as an unknown identity.

Note

Note

The unauthenticated role is not applied to network login and Kerberos users because those users are either authenticated or denied by network login.

One option for configuring the unauthenticated role policy/rule is to allow DNS, DHCP, and Kerberos traffic, and deny all other traffic. This configuration allows identities to attempt log in, and denies access to identities that do not successfully log in.