After the access authentication of user passes the wireless terminal, the correct role should be assigned for user to realize authorization management. The role is the collection and carrier of network permissions. For each user accessing to wireless network, NAC will assign the only role in accordance with use’s attribute. The fine role authorization management can assign different roles based on user’s attribute, authentication method, geographical location and access terminal type etc.
ⅰ Grant different permissions for role based on different account authentication characteristics
a） For different user name and user group of local account , confirm the respective role in accordance with difference of user group. For instance, different employee group of enterprise have different role permissions. Research and development group has the permissions to visit in-house network of research and development. And financial group has the permissions to visit financial system of enterprise. For enterprise manager, the higher access permissions can be set.
b）Radius authentication can grant different permissions for different roles in accordance with IP address attribute of Radius server, Class and TunnelPrivate Group ID.
c） Certificate authentication can take the certificate attribute of different certificates as condition to distinguish different role and grant different permissions.
d） For LDAP authentication, the permissions of different roles can be assigned in accordance with user’s organization unit, security group and user name to realize the more fine role authorization.
ⅱ Assign different roles in accordance with different authentication method of temporary visit: for different authentication methods such as short message authentication, WeChat authentication, two-dimension code verification, user authentication free and temporary visit, different permissions can be assigned. For customers needing to add public WeChat account, the higher access authority can be set to promote user to use WeChat authentication independently.
It is worth mentioning that we can set a temporary visitor group (set in accordance with user information) for visitor authentication. In some chain stores, different access authority can be set for member and nonmember.
ⅲ According to different physical location of AP, assign different role for different AP user. For the scenario with multi-AP deployment, the role authorization of this AP user can be confirmed based on different physical location of AP. And the user of different AP has different access authority. For instance, distinguish in accordance with different geographical location of enterprise office. According to R&D building AP, comprehensive office building AP and exhibition room AP, assign different role authorization for different user.
ⅳ According to different terminal type and MAC address, assign different role. And assign different role authorization based on different terminal type. For instance, in the supermarket and department stores, set limit on surfing the Internet for notebook computer to avoid occupying large amounts of bandwidth and keep from affecting the use of mobile terminal. And for office place of enterprise, limit employee to surf the internet at mobile terminal to avoid their internet chat in office hours etc.
Meanwhile, the role permissions of users also can be binding based on different MAC address of terminal.