Skip to main content
Skip table of contents

Access Role Profiles

An Access Role Profile contains the various Unified Profile properties (such as QoS Policy List attached to the profile, Captive Portal Authentication) for users assigned to the profile. In a wireless-centric network, an Access Role Profile is considered as a user role with which every client in the wireless-centric network is associated.

Use the Access Role Profiles screen to display information about all configured Access Role Profiles. This screen is also used to create, edit, and delete Access Role Profiles. To access the Access Role Profiles screen, click on Network Access > Unified Access > Access Role Profiles under the “Configure” section of the OmniVista Cirrus Menu.

Creating an Access Role Profile

The Create Access Role Profile screen is used to select profile settings, assign network devices, and configure the VLAN/tunnel mapping for the profile. To access this screen, click on Create Access Role Profile.

The Create Access Role Profile screen provides the following step-by-step process to create an Access Role Profile:

1. Access Role Profile Settings

  • Profile Name - Configures the Access Role Profile name.

  • QoS/ACL - Configures QoS policy rules that are used to filter device traffic assigned to the Access Role Profile.

  • Location Policy - Defines the location from which a device is allowed to access the network.

  • Period Policy - Defines the date and time during which a device is allowed to access the network.

  • Bandwidth Control - The ingress/egress bandwidth limit/depth applied to device traffic assigned to the Access Role Profile.

  • Walled Garden - Selects social media vendors through which a wireless client can authenticate.

  • Client Session Logging - Enables/Disables client session logging.

  • Captive Portal Attributes - Configures the type of Captive Portal authentication.

  • Others - Enables/disables the DHCP Option 82 feature.

2. Network Assignments

  • Select Sites and Groups - Select Access Point Groups from one or more Sites. The Access Role Profile is applied to the APs in the selected Sites/AP groups.

3. VLAN Mappings

  • VLAN/Tunnel Mapping - Map the Access Role Profile to a VLAN or a Guest Tunnel ID. Traffic classified into the profile is forwarded on the selected VLAN or Tunnel.

1. Access Role Profile Settings

Complete the fields for the sections on the Access Role Profile Settings tab as described below, then click Next to move to the next tab (Step 2).

Profile Name and QoS/ACLs

Complete the fields as described below to assign a name and QoS/ACLs to the profile:

  • Profile Name - A unique name to identify the Access Role Profile.

  • QoS/ACL

    • Configure QoS/ACLs - Select this option to define a QoS Policy for the Access Role Profile. When you select this option, a QoS Policy is automatically created with the Access Role Profile name. You can then customize the policy settings to define conditions/actions for the QoS policy.

    • Choose existing QoS/ACLs - Select one of the following methods to assign a QoS policy list:

      • Choose existing policies, auto-generated policy list - Automatically generate a policy list by selecting existing policies for the list and/or click on Create Unified Policy to open the Create Unified Policy screen and create new QoS policies for the list.

      • Choose existing policy list - Select an existing QoS policy list from the drop-down menu or click on Create Unified Policies List to open the Create Unified Policies List screen and create a new QoS policy list. You can also click on View details to view information about the selected list or click on Edit to open the Edit Unified Policies List screen to make changes to the selected list.

Location/Period Policy

  • Location Policy - Defines a specific location from which a device can access the network. The Location Policy is applied to traffic classified into the Access Role Profile.

    • Configure Location Policy - Select this option to define a Location Policy to assign to the Access Role Profile. When you select this option, a Location Policy is automatically created with the Access Role Profile name.

      • Save this as a distinct Location Policy, for reuse - Select this option if you want the automatically created Location Policy to be available for use after the associated Access Role Profile has been deleted.

    • Choose Existing Location Policy - Select an existing Location Policy from the drop-down menu or click on Create Location Policy to open the Create Location Policy screen and create a new Location Policy. You can also click on Edit to open the Edit Location Policy screen and make changes to the selected policy.

  • Period Policy - Specifies the days a times during which a device can access the network. The Period Policy is applied to traffic classified into the Access Role Profile.

    • Configure Period Policy - Select this option to define a Period Policy to assign to the Access Role Profile. When you select this option, a Period Policy is automatically created with the Access Role Profile name.

      • Save this as a distinct Period Policy, for reuse - Select this option if you want the automatically created Period Policy to be available for use after the associated Access Role Profile has been deleted.

    • Choose Existing Period Policy - Select an existing Period Policy from the drop-down menu or click on Create Period Policy to open the Create Period Policy screen and create a new Period Policy. You can also click on View Details to view information about the selected policy or click on Edit to open the Edit Period Policy screen and make changes to the selected policy.

Bandwidth Control

  • Upstream Bandwidth - The maximum bandwidth limit allocated for ingress traffic assigned to the profile. If the maximum ingress bandwidth value is set to zero, all ingress traffic is allowed.

  • Upstream Burst - The maximum ingress depth value that is applied to traffic assigned to the profile. This value determines how much the traffic can burst over the maximum ingress bandwidth rate. The maximum ingress depth value is configured in conjunction with the maximum ingress bandwidth parameter. When the ingress depth value is reached, the device starts to drop packets.

  • Downstream Bandwidth - The maximum bandwidth limit allocated for egress traffic assigned to the profile. If the maximum egress bandwidth value is set to zero, all egress traffic is allowed.

  • Downstream Burst - The maximum egress depth value that is applied to traffic assigned to profile. This value determines how much the traffic can burst over the maximum egress bandwidth rate. The maximum egress depth value is configured in conjunction with the maximum egress bandwidth parameter. When the egress depth value is reached, the device starts to drop packets.

Walled Garden

  • Wireless Client Social Login Vendor - Select a vendor(s) from the drop-down menu to allow a wireless client to authenticate through a social media vendor (Facebook, Rainbow, and Microsoft Azure are supported). OmniVista will automatically configure the Allow List Domains for the selected vendor(s). This will allow the user to connect over the Internet to the selected vendor(s) for authentication.

  • Allow List Domains - In addition to Facebook, Rainbow, and Microsoft Azure login, you can enter any domain name to allow a user to connect to sites over the Internet without authentication. For example, a hotel may want to allow a guest to connect to their website without authentication. Enter the domain name directly into the Allow List Domain field to allow access to the site. Repeat to add additional domains. Domains must be entered in Fully Qualified Domain Name (FQDN) format Fully Qualified Domain Name (FQDN) format (for example, www.marriot.com, www.bbc.com). IP Addresses and HTTP/HTTPS prefixes should not be used.

Client Session Logging

  • Client Session Logging - Enables/Disables client session logging. When enabled, select one of the following from the Client Connection Logging Level drop-down menu:

    • None - Log only client online/offline behavior, without session details.

    • Logging HTTP/HTTPs - Log only the HTTP/HTTPs web session of wireless clients.

    • Logging ALL - Log all sessions of wireless clients, including HTTP/HTTPs.

Captive Portal Attributes

  • Captive Portal Auth - Select the Captive Portal Authentication method from the drop-down menu:

    • None - No Captive Portal authentication.

    • External - Select this method to redirect device traffic to an external Captive Portal Server for authentication. Complete the following fields to provide the information needed to redirect traffic to the external server:

      • Portal Server - The FQDN/IP address of the external captive portal server.

      • Redirect URL - The redirect URL for the captive portal authentication.

      • HTTPS Redirection - Specify whether the redirect portal page is using HTTPS protocol.

      • AAA Server Profile - The AAA Server used for Captive Portal Authentication. Select an existing AAA Server Profile from the drop-down menu or click on Create AAA Server Profile to open the Create AAA Server Profile screen and create a new AAA Server Profile to use. You can also click on Edit to open the Edit AAA Server Profile screen and make changes to the selected profile. (See the AAA Server Profile online help for more information.)

      • Custom Profile - The External Captive Portal Configuration file used for communication between APs and the external Captive Portal Server. Select an existing External Captive Portal Configuration file from the drop-down menu or click on Create External Captive Portal Config File to open the New External Captive Portal Config File screen and create a custom external config file. You can also click on Edit to open the Edit External Captive Portal Config File screen and make changes to the selected config file. (See the External Captive Portal online help for more information.)

DHCP Option 82

  • DHCP Option 82 - Enable/disable DHCP Option 82 for the Access Role Profile.

2. Network Assignments

The Network Assignments tab is used to select the AP Group(s) within a Site(s) to which the Access Role Profile will be applied to devices within those groups. Complete the network assignments as described below, then click Next to to the the next tab (Step 3).

  • Select Site to Filter Groups - Select the Site from which you want to select AP Group(s).

  • Select Access Point Groups - Select the Access Point Group(s) associated with the selected Site. The Access Role Profile is applied to devices in the AP Group(s).

3. VLAN Mappings

The VLAN Mappings tab is used to map a VLAN or a Tunnel service to the Access Role Profile. Traffic classified into the profile will be forwarded on the mapped VLAN or Tunnel service. Note that you can only select one mapping method per Access Role Profile.

You can configure a VLAN/Tunnel mapping for all AP Groups across all Sites in the Organization, for all AP Groups associated with a specific Site, or for the selected AP Group.

The ability to bind up to 256 VLANs to a WLAN/SSID on the AP13xx/AP14xx models is supported. However, not every AP model can accommodate 256 VLANs for all the configured SSIDs. The limitations are outlined below:

  • AP1301H can support 256 VLANs on a maximum of 2 SSIDs, with a total of 512.

  • AP1311/AP1301/AP1431/AP1411 can support 256 VLANs on a maximum of 4 WLANs/SSIDs, with a total of 1024.

  • AP1320/AP1331/AP1351/AP1451 can accommodate 256 VLANs on a maximum of 7 WLANs/SSIDs, with a total of 1792.

When you click on the Bulk Edit option or the Edit option for an individual AP Group, the following VLAN/Tunnel Mapping screen opens:

Select one of the following network mapping options from the drop-down menu:

  • VLAN- Maps the profile to a specific VLAN ID tag on network devices. You can enter multiple VLAN ID tags in this field by specifying a range of VLAN IDs (10-20), individual VLAN IDs (25), or both (10-20, 25). Note that after each VLAN ID entry, you must press the tab key before making the next entry. For example, enter “10-20” press tab key, then enter “21” press tab key, then enter “22” press tab key, and so on. You can also click outside of this field after each entry, instead of pressing the tab key.

  • Tunnel - Maps the profile to a Guest Tunnel.

  • VLAN and Tunnel - Maps the profile to a VLAN and a Tunnel, allowing VLAN tagging inside the GRE.

When you select the Tunnel mapping option, the following fields are displayed on the VLAN/Tunnel Mapping screen:

  • Configure Tunnel - Select this option to define a Guest Tunnel service to assign to the Access Role Profile.. When you select this option, a Tunnel Profile is automatically created with the Access Role Profile name.

    • Save this as a distinct Tunnel Profile, for reuse - Select this option if you want the tunnel mapping to be available for use after the associated Access Role Profile has been deleted. When you click on this option, you will be prompted to enter a Tunnel Profile name.

  • Choose Existing Tunnel - Select an existing Guest Tunnel Profile from the drop-down menu or click on Create Tunnel Profile to open the Create Tunnel Profile screen and create a new Guest Tunnel Profile. You can also click on View Details to view information about the selected Tunnel Profile or click on Edit to open the Edit Tunnel Profile screen and make changes to the selected Tunnel Profile.

When you are done configuring the VLAN/Tunnel mappings, click on Create Access Role Profile. The Access Role Profile is created and applied to users assigned to the profile.

Editing an Access Role Profile

You can edit the Access Role Profile attributes by accessing the Edit Access Role Profile screen.

Use one of the following methods to access the Edit Access Role Profile screen (as shown above):

  • Select the profile to edit by clicking on the checkbox next to the profile, click on Actions, then select Edit from the drop-down menu.

  • Click on the pencil icon under the “Actions” column next to the profile that you want to edit.

The following Edit Access Role Profile screen displays. Edit the fields as described above, then click on Save.

Deleting an Access Role Profile

To delete an Access Role Profile, use one of the following methods to select the profile you want to delete:

  • Select the profile to delete by clicking on the checkbox next to the profile, click on Actions, then select Delete from the drop-down menu.

  • Click on the trash can icon under the “Actions” column next to the profile that you want to delete.

When you select the profile you want to delete, the following confirmation prompt appears:

Click on Delete to confirm that you want to delete the Access Role Profile.

Display Access Role Profile Information

The Access Role Profile list displays information for the configured Access Role Profiles. To display detailed information about a specific profile, click on the Additional Information icon under the “Actions” column. The information displayed on this screen is defined below.

The following information is displayed for each Access Role Profile:

  • Profile Name - The name assigned to the Access Role Profile

  • Unified Policy - The name of the Policy List assigned to the profile. The set of rules within the Policy List are applied to the traffic that passes though devices. Only one Policy List is allowed per profile, but multiple profiles may use the same Policy List.

  • Location Policy Name - The name of the Location Access Policy assigned to the profile.

  • Period Policy Name - The name of the Period Policy assigned to the profile..

  • Captive Portal Auth - The type of Captive Portal Authentication ( None, or External).

  • Portal Server - The FQDN/IP address of the external captive portal server.

  • Redirect URL - The redirect URL for the captive portal authentication.

  • HTTPS Redirection - Specify whether the redirect portal page is using HTTPS protocol.

  • AAA Server Profile - The AAA Server used for Captive Portal Authentication.

  • Custom Profile - The External Captive Portal Config File used for communication between APs and the External Portal Server.

  • Upstream Bandwidth - The maximum bandwidth limit allocated for ingress traffic assigned to the profile. If the maximum ingress bandwidth value is set to zero, all ingress traffic is allowed.

  • Downstream Bandwidth - The maximum bandwidth limit allocated for egress traffic assigned to the profile. If the maximum egress bandwidth value is set to zero, all egress traffic is allowed.

  • Upstream Burst - The maximum ingress depth value that is applied to traffic assigned to the profile. This value determines how much the traffic can burst over the maximum ingress bandwidth rate. The maximum ingress depth value is configured in conjunction with the maximum ingress bandwidth parameter. When the ingress depth value is reached, the device starts to drop packets.

  • Downstream Burst - The maximum egress depth value that is applied to traffic assigned to profile. This value determines how much the traffic can burst over the maximum egress bandwidth rate. The maximum egress depth value is configured in conjunction with the maximum egress bandwidth parameter. When the egress depth value is reached, the device starts to drop packets.

  • DHCP Option 82 - Enables/Disabled the DHCP Option 82 Feature.

  • Client Session Logging - Enables/Disables client session logging.

  • Client Connection Logging Level:

    • Logging HTTP/HTTPs - Log only the HTTP/HTTPs web session of wireless clients.

    • Logging ALL - Log all sessions of wireless clients, including HTTP/HTTPs.

    • None - Log only client online/offline behavior, without session details.

  • Wireless Client Social Login Vendor - The vendor(s) selected to allow a wireless client to authenticate through a social media vendor (Facebook, Rainbow, and Microsoft Azure are supported). OmniVista automatically configures the Allow List Domains for the selected vendor(s). This allows the user to connect over the Internet to the selected vendor(s) for authentication.

  • Allow List Domains - Facebook, Rainbow, Microsoft Azure login, or any user-specified Allow List Domain that allows a user to connect to sites over the Internet without authentication. For example, a hotel may want to allow a guest to connect to their website without authentication. Domains must be in Fully Qualified Domain Name (FQDN) format (for example,, http://www.marriot.com , http://www.bbc.com). IP Addresses and HTTP/HTTPS prefixes should not be used.

  • Assigned Devices:

    • Assigned Devices - The AP Groups and associated Sites to which the Access Role Profile is applied.

    • VLAN/Tunnel Mapping - The VLAN ID or Tunnel service ID mapped to the profile.

 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.