Even though it's a virtual role, it must be created as a group in Admin mode, in order for anyone to use it for authentication.
After that, you add access rights as normal (like you described).
so just create a group with the same name and then it's ready for use?
You can see it this way: its not the Role itself that is "virtual", its the memberships within it.
Newbie question coming up
I have created a Virtual Role "Employee" which returns true if the request comes from a specific ip address, and added it in web.config.
How can I use this to manage access right for a specific page (and its subpages) in Episerver? I can click on this page in Edit mode and set access rights, but in there I can only choose between created groups.