AAA Server Profile

The  Unified Profile AAA Server Profile Screen displays all configured AAA Server Profiles and is used to create, clone, edit, and delete AAA Server Profiles for AOS 8.x Switches and APs on the network. AAA Server Profiles are used to define specific AAA parameters that can be used in an Access Auth Profile or Captive Portal Profile.

Note: When an AAA Server Profile is assigned to a UNP Edge port through an Access Auth Profile, the parameter values defined in the profile will override any existing global AAA configuration for users authenticating on that port.

Creating an AAA Server Profile

Click on the Create icon. Enter a Profile Name and configure the Profile as described below, then click on the Create button.

Note: An AP supports one, and only one, TLS-enabled RADIUS server. As a consequence, you cannot have one TLS-enabled RADIUS server as Primary and another TLS-enabled RADIUS server as Secondary.

Authentication Servers

• 802.1X Primary - Select a Primary 802.1X Authentication Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the Add icon to go to the Authentication Servers Application and create a new server. The Link takes you to the RADIUS Server Management Screen in the Authentication Server application.
• Captive Portal Primary - Select a Primary Captive Portal Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the Add icon to go to Authentication Servers Application and create a new Server. The Link takes you to the RADIUS Server Management Screen in the Authentication Server application.
• MAC Primary- Select a Primary MAC Authentication Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the Add icon to go to Authentication Servers Application and create a new Server. The Link takes you to the RADIUS Server Management Screen in the Authentication Server application.

Accounting Servers

• 802.1X Primary - Select a Primary 802.1X Accounting Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the "Add New" link to go to the RADIUS Server Management Screen and create a new Server.
• Captive Portal Primary - You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the "Add New" link to go to the RADIUS Server Management Screen and create a new Server.
• MAC Primary - Select a Primary MAC Accounting Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server. You can also click on the "Add New" link to go to the RADIUS Server Management Screen and create a new Server.

Advanced Settings

MAC Auth

• Session Timeout Trust Radius Status - Enables/Disables the Session Timeout Trust Radius option for MAC Authenticated users. If Enabled, the switch will use the Session Timeout attribute received from the Authentication Server in an Accept-Accept message. If Disabled, the switch uses the locally configured timeout interval value (Default = Disabled).
• Session Timeout Status - Enables/Disables the Session Timeout option for MAC Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Session Timeout Interval. (Default = Disabled).
• Session Timeout Interval - The Session Timeout value, in seconds. When the Session Timeout value is reached, the authenticated users are logged out and the MAC address for each logged out user device is flushed. Note that when the Session Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again (Range = 12000 - 86400, Default = 43200).
• Inactivity Timeout Status - Enables/Disables the Inactivity Timeout option for MAC Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Inactivity Timeout Interval (Default = Disabled).
• Inactivity Timeout Interval - The Inactivity Timeout value, in seconds. Make sure the configured value is value greater than the MAC address aging time for the switch. If the Timeout Value is exceeded, the user is not logged out of the network if the MAC address aging time expires before the configured timeout value. Also note that when the Inactivity Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again.(Range = 60 - 1200, Default = 600)
• Accounting Interim Trust Radius Status - Enables/Disables the Accounting Interim Trust Radius option for MAC Authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again.
• Accounting Interim Interval - The amount of time between each interim accounting update for MAC accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
• Syslog Accounting Server IP Address - The IP address of the Syslog Accounting Server.
• Syslog Accounting Server UDP Port - The port used to communicate with the Syslog Accounting Server (Default = 514).
• Calling Station ID Type - The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).

802.1X

• Re-Authentication Timeout Trust Radius Status - Enables/Disables the Session Timeout Trust Radius option for 802.1x Authenticated users. If Enabled, the Session-Timeout attribute value received from the RADIUS server overrides the locally configured value for the switch. (Default = Disabled).
• Re-Authentication Timeout - Enables/Disables the automatic re-authentication of authenticated 802.1X users (Default = Disabled).
• Re-Authentication Interval - The amount of time the switch waits, in seconds, before triggering re-authentication of 802.1X users. Note that when the re-authentication time interval is changed, the new value does not apply to existing authenticated 802.1X users until the user is flushed out or when the user is authenticated again. Any new 802.1X users are re-authenticated based on the current time interval setting. (Range = 600 - 7200, Default = 3600)
• Accounting Interim Trust Radius Status - Enables/Disables the Accounting Interim Trust Radius option for 802.1X authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again.
• Accounting Interim Interval - The amount of time between each interim accounting update for 802.1x accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
• Syslog Accounting Server IP Address - The IP address of the Syslog Accounting Server.
• Syslog Accounting Server UDP Port - The port used to communicate with the Syslog Accounting Server (Default = 514).
• Calling Station ID Type - The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).

Captive Portal

• Session Timeout Trust Radius Status - Enables/Disables the Session Timeout Trust Radius option for Captive Portal Authenticated users. If Enabled, the switch will use the Session Timeout attribute received from the RADIUS server in an Accept-Accept message. If Disabled, the switch to use the locally configured timeout interval value (Default = Disabled).
• Session Timeout Status - Enables/Disables the Session Timeout option for Captive Portal Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Session Timeout Interval. (Default = Disabled).
• Session Timeout Interval - The Session Timeout value, in seconds. When the Session Timeout value is reached, the authenticated users are logged out and the MAC address for each logged out user device is flushed. Note that when the Session Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again (Range = 12000 - 86400, Default = 43200).
• Inactivity Timeout Status - Enables/Disables the Inactivity Timeout option for Captive Portal Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Inactivity Timeout Interval (Default = Disabled).
• Inactivity Timeout Interval - The Inactivity Timeout value, in seconds. Make sure the configured value is value greater than the MAC address aging time for the switch. If the Timeout Value is exceeded, the user is not logged out of the network if the MAC address aging time expires before the configured timeout value. Also note that when the Inactivity Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again. (Range = 60 - 1200, Default - 600)
• Accounting Interim Trust Radius Status - Enables/Disables the Accounting Interim Trust Radius option for Captive Portal Authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again.
• Accounting Interim Interval - The amount of time between each interim accounting update for Captive Portal accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
• Syslog Accounting Server IP Address - The IP address of the Syslog Accounting Server.
• Syslog Accounting Server UDP Port - The port used to communicate with the Syslog Accounting Server (Default = 514).
• Calling Station ID Type - The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).

RADIUS

• NAS Port ID - The RADIUS client NAS-Port attribute for authentication and accounting sessions. A text string (up to 31 characters) is used to define a NAS-Port identifier for the NAS-Port attribute. "Default" sets the NAS-Port attribute value to the chassis/slot/port of the user. The NAS-Port attribute value specified with this command is used in Account-Request messages and in Accounting-Request messages. (Default AP setting is wifi-2.4G/wifi-5G)
• NAS ID - The RADIUS client NAS-Identifier attribute for authentication and accounting sessions. A text string (up to 31 characters) is used to identify the switch (RADIUS client) in the NAS-Identifier attribute. "Default" sets the NAS-Identifier attribute to the system name of the switch. The NAS-Identifier attribute value specified with this command is used in both Account-Request and Accounting-Request messages. (Default AP ID is AP WLAN name)
• Username Delimiter - The delimiter character used to separate fields within a RADIUS Server User Name.
• Password Delimiter - The delimiter character used to separate fields within a RADIUS Server Password.
• Calling Station Delimiter - The delimiter character used to separate fields within a Calling Station ID.
• Called Station Delimiter - The delimiter character used to separate fields within a Called Station ID.
• Username Case - Indicates if the RADIUS Server User Name must be in Upper Case or Lower Case.
• Password Case - Indicates if the RADIUS Server Password must be in Upper Case or Lower Case.
• Calling Station ID Case - Indicates if the Calling Station ID must be in Upper Case or Lower Case.
• Called Station ID Case - Indicates if the Called Station ID must be in Upper Case or Lower Case.

Cloning an AAA Server Profile

You can clone an existing profile and edit it to quickly create a new profile. Select a profile in the AAA Server Profile List and click on the Clone button. Enter a new Profile Name, edit the fields as necessary and click on the Clone button.

Editing an AAA Server Profile

Select the profile in the AAA Server Profile Screen and click on the Edit icon to bring up the Edit AAA Server Profile Screen. Edit the fields as described above then click on the Apply button to save the changes to the server. Note that if the AAA Server Profile has been applied to any devices through an Access Auth Profile or Captive Portal Profile, you will have to re-apply the associated Access Auth Profile or Captive Portal Profile to those devices to update the profile on the device(s).

Note that if the AAA Server Profile has been applied to any device through an Access Auth Profile or Captive Portal Profile, you will have to re-apply the associated Access Auth Profile or Captive Portal Profile to those devices to update the profile on the device(s). You can also go to the Device Config – AAA Server Profile Screen to edit a profile on any device.

Deleting an AAA Server Profile

Select the profile in the AAA Server Profile Screen and click on the Delete icon, then click OK at the confirmation prompt.

• If the profile has not been associated with an Access Auth Profile or Captive Portal Profile, the update will be applied and the status displayed. Click OK to return to the AAA Server Profile Screen.
• If the profile has been associated with an Access Auth Profile or Captive Portal Profile, the "Delete AAA Server Profile" confirmation prompt will appear listing any associated profiles. You must delete the AAA Server Profile from any associated profile(s) before returning to the AAA Server Profile Screen to delete the AAA Profile.
• If the profile has been assigned to any devices, go to the Device Config – AAA Server Profile Screen to remove the profile from the device(s).