Role-based ACLs

Beginning with Release 32.1, the dynamic ACL rule(s) can be user-based or role-based. User-based rules are treated as higher priority than any other statically provisioned rules. Policy roles and the DACLs associated with them are dynamically created as needed based on the incoming RADIUS Filter-Id attribute. This attribute is automatically deleted when the last authenticated user associated with the role is removed.

When a set of role-based rules is installed for a given role or profile, they cannot be changed until that role is no longer in use. Role-based rules are shared by any other user who authenticates to the same role or profile. While both user based and role-based DACLs can be used on the device at the same time, a mix of user based and role-based DACLs are not permitted for a given user.

A role-based operation has a type 'r' and requires a preceding add operation (a,r). Each role requires a profile pre-configured with a unique name and access-list configuration.

A role-based with create operation has a type 'c' and also requires a preceding add operation (a,rc). The role or profile is dynamically created if it does not already exist. If created dynamically, the role or profile will be deleted when no longer in use.

A delete-all operation has a type of 'da' and no match, action, or index fields are permitted. When used, the delete-all must be the first entry in the list. When present, this operation removes all existing rules associated with the user or role. Neither the action field nor the index field is permitted and will be ignored if present.

The following match conditions can be used with role-based ACLs:

Supported Platforms

All ExtremeSwitching X435, X450-G2, X460-G2, X440-G2, X620, X690, X695 series switches.

Limitations