/system/port_access_roles

post

https://switch-ip/rest/v10.16/system/port_access_roles

Body Params

auth_mode

string

enum

Indicates, whether each individual client on the port needs to be authenticated separately to gain access to the network. client-mode: every client needs to be authenticated to be granted network access. device-mode: only one of the attached clients must be authenticated for all clients to be granted network access. multi-domain:limit the number of authenticated clients to one 'voice' client and a configured number of 'data' clients. By default allowed 'data' client is also one. If empty, then port_access_auth_mode of the Port is used.

Allowed:

cached_reauth_period

int64

30 to 4294967295

Duration in seconds until when cached re-authentication is allowed for clients on-boarded via this role. If empty, then Port_Access_Auth_Configuration.cached_reauth_period of the Port is used.

captive_portal_profile

string

Reference Resource: Captive_Portal_Profile
Captive portal profile associated with this access role.

client_inactivity_monitor

string

enum

Sets the inactivity mode configured_timeout: value set by client_inactivity_time will be used for tracking inactivity dynamic_timeout: client will expire after global dynamic ageout value no_timeout: client will never ageout and stays in system. Example: mac-pinning

Allowed:

client_inactivity_timeout

int64

60 to 4294967295

Time in seconds after which a client will be removed from the port for lack of activity. This is only applicable when client_inactivity_monitor mode is set to 'configured_timeout'.

description

string

length between 1 and 256

Free text description of role.

device_traffic_class

string

enum

Specifies the class of client this role is associated with.

Allowed:

gateway_zone

string

Gateway zone associated with this user role.

in_gbp

string

Reference Resource: Port_Access_GBP
Ingress port-access Group Based policy.

in_policy

string

Reference Resource: Port_Access_Policy
Ingress port-access policy, to be applied when this role is assigned.

macsec_policy

string

Reference Resource: MACsec_Policy
MACsec policy associated with this user role. When not set, if the client is authenticated by 802.1X with this role on a port where MACsec is enabled for the 802.1X authenticator, traffic ingressing this port will be dropped.

max_session_time

int64

1 to 4294967295

The maximum number of seconds of service to provide to the client before termination of session. If empty, the maximum session time is indefinite.

mtu

integer

68 to 9198

The MTU (maximum transmission unit); i.e. the largest amount of data that can be transmitted in an IP packet. If empty, then active_ip_mtu value of the Port is used.

name

string

required

length between 1 and 128

Reference Resource: Port_Access_Role
Name of the role.

origin

string

enum

Origin of the access role, i.e., how the access role is created. local: access role is configured locally on the switch. downloaded: downloaded from Clearpass Policy Manager (CPPM) server. radius: translated from the attributes assigned by RADIUS server.

Allowed:

poe_allocate_by_method

string

enum

PoE power allocation method associated with this role Allows control over the power allocation strategy used. Two power allocation strategies are supported: class: the PSE uses the power ramp-up signature of the PD to identify the PD's power class and use the power level for the specified class. usage: power is delivered as requested by a PD. If empty, then config.allocate_by_method value of the PoE_Interface is used.

Allowed:

poe_priority

string

enum

If the PoE demand exceeds the PoE budget, the switch will deny power to some ports. PoE prioritization is the way the switch determines which ports are to receive power. The priorities are: critical: the active PoE ports at this level are provisioned before the PoE ports at any other level are provisioned. high: the active PoE ports at this level are provisioned before the low priority PoE ports are provisioned. low: the active PoE ports at this level are provisioned only if there is power available after provisioning any active PoE ports at the higher priority levels. If empty, then config.priority value of the PoE_Interface is used.

Allowed:

pvlan_port_type

string

enum

Specifies the port's type in the context of Private-VLAN. If empty, the pvlan_port_type value of the 'Port' is used.

Allowed:

qos_trust_mode

string

enum

Specifies the individual port QoS Trust Mode. none: no fields are inspected on arriving packets. The initial local- priority and color meta-data values are taken from PCP 0 entry of the COS Map. cos: will use the PCP of the outermost 802.1 VLAN tag to index the COS Map entry to initialize the local-priority and color meta-data values of the packet. For untagged packets, the initial local-priority and color meta-data values are taken from code_point 0 entry of the COS Map. dscp: will use the DSCP value of IP packets to index the DSCP Map entry to initialize the local-priority and color meta-data values of the packet. For non-IP packets, what meta-data values are assigned is hardware dependent. If empty, then qos_config.qos_trust value of the Port is used.

Allowed:

reauth_period

int64

1 to 4294967295

Time period in seconds to enforce periodic re-authentication of the clients. If empty, then Port_Access_Auth_Configuration.reauth_period of the Port is used.

stp_admin_edge_port

boolean

Specifies whether the port will operate as an STP admin_edge port. If empty, then [stp_config].admin_edge_port_enable of the Port is used.

ubt_gateway_role

string

length between 1 and 63

Role to be assigned to tunneled clients on the UBT cluster side.

vlan_mode

string

enum

When empty, default mode is selected as follows: access: if the vlan_tag contains a value, role contains an access vlan and the vlan_trunks will be empty. trunk: if the vlan_tag is empty, and the vlan_trunks is non-empty, then role has no-native vlan specified. If the mode is explicitly configured: native-tagged: value contained in vlan_tag refers to native vlan and that vlan has to be tagged. native-untagged: value contained in vlan_tag refers to native vlan and that vlan has to be untagged.

Allowed:

vlan_name_tag

string

length between 1 and 32

The untagged VLAN, identified by name, to which users of this access role are assigned. If empty, VLAN identifier corresponding to the vlan_tag is used if set. Otherwise, vlan_tag of the 'Port' is used.

vlan_name_trunks

array of strings

length ≤ 50

The tagged VLAN(s), identified by their names, to which users of this access role are assigned. If empty, VLAN identifier corresponding to the vlan_trunks is used if set. Otherwise, vlan_trunks of the 'Port' is used.

vlan_name_trunks

vlan_tag

integer

1 to 4094

The untagged VLAN identifier to which users of this access role are assigned. If empty, VLAN identifier corresponding to the vlan_name_tag is used if set. Otherwise, vlan_tag of the 'Port' is used.

vlan_trunks

array of integers

length ≤ 1024

The tagged VLAN identifier(s) to which users of this access role are assigned. If empty, VLAN identifier corresponding to the vlan_name_trunks is used if set. Otherwise, vlan_trunks of the 'Port' is used.

vlan_trunks

Responses

201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

415

Unsupported Media Type

500

Internal Server Error

501

Not Implemented

503

Service Unavailable

Language

Response

Click Try It! to start a request and see the response here!