Skspruce Technologies Inc. WIA3200 Manuel D’Utilisation
55 JadeOS User Manual
user table.
9.2.2 User Role and ACL
User role defines the network access. JadeOS specifies the network access of user by
ACL. To create a user role in JadeOS, you need to create a session ACL, and then ap-
ply the ACL to the user role.
ACL. To create a user role in JadeOS, you need to create a session ACL, and then ap-
ply the ACL to the user role.
To create user role, use the following steps:
Step 1 Configure a session ACL named pre-auth-acl
Step 1 Configure a session ACL named pre-auth-acl
(JadeOS) (config) #ip access-list session pre-auth-acl
Step 2 Configure network access.
(JadeOS) (config-sess-pre-auth-acl)#any any udp 53 permit
(JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip 10.0.0.2 443
(JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip 10.0.0.2 443
Step 3 Create a user role named ‘pre-auth’
(JadeOS) (config) #user-role preauth
Step 4 Apply user rule to ACL
(JadeOS) (config-role) #session-acl pre-auth-acl
Attribute Description
access-list
Apply access list to user role
bandwidth-contract
Set the maximum bandwidth
max-sessions
Set the datapath session limit, 64k by default
reauthentication-interval
Config the intervals of re-authentication
session-acl
Apply session ACL
vlan
Distribute VLAN
The attribute list supported by user role
9.2.3 Access Policy Based on User Role
Before a user successfully authenticate, JadeOS specifies an initial role to user (role
before authentication); after the user is successfully authenticate, JadeOS will specify
a new role to the user (role after authentication).Network administrators can flexibly
control network access through configuring ACL.
before authentication); after the user is successfully authenticate, JadeOS will specify
a new role to the user (role after authentication).Network administrators can flexibly
control network access through configuring ACL.
For example, configure a user role named pre-auth that permit DNS traffic, but redi-
rect all other traffic to port 443 to perform authentications by DNAT; configure a user
role named post-auth that allow all the traffic; use the following steps:
rect all other traffic to port 443 to perform authentications by DNAT; configure a user
role named post-auth that allow all the traffic; use the following steps: