Device Config - AAA Profile
The Unified Profile Device Config AAA Profile Screen displays information about all devices to which an AAA Profile has been assigned. You can edit the AAA Profile on an AOS Device or AP Group, or delete the profile from AOS Device or AP Group. To display AOS Device information, click on the Devices ADD button and select a device(s). To display AP Group information, click on the AP Group ADD button and select an AP Group(s). To add/remove devices/AP Groups from the display, click on the applicable EDIT button.
Important Note: Any configuration updates applied in the Device Config application are only applied to the selected devices/AP Groups. The updates will not affect the corresponding SSIDs, Unified Access Profiles/Templates.
Editing a AAA Profile
Select a device/AP Group in the AAA Profile List and click on the Edit icon to edit the field(s) as described below. When you are finished, click on the Apply button.
Note: An AP supports one, and only one, TLS-enabled RADIUS server. As a consequence, you cannot have one TLS-enabled RADIUS server as Primary and another TLS-enabled RADIUS server as Secondary.
Authentication Servers
- 802.1X Primary - Select a Primary 802.1X Authentication Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server.
For wireless devices, 802.1x Primary and Secondary Server configurations will help you to create 802.1x Authentication Server Group which will be used by Access Auth Profiles (Wireless AAA Server Profiles).
- Captive Portal Primary - Select a Primary Captive Portal Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server.
Note: Captive Portal Primary and Secondary Server configurations are ignored for wireless devices.
- MAC Primary- Select a Primary MAC Authentication Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server.
Note: For wireless devices, MAC Primary and Secondary Server configurations will help you to create a MAC Authentication Server Group that will be used by Access Auth Profiles (Wireless AAA Server Profiles). For IAP Devices, there is not a separate server for MAC Authentication. 802.1x Primary and Secondary Servers are used instead.
Accounting Servers
- 802.1X Primary - Select a Primary 802.1X Accounting Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server.
- Captive Portal Primary - Select a Primary Captive Portal Accounting Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server.
- MAC Primary - Select a Primary MAC Accounting Server for the Profile. You can also select Secondary, Tertiary, and Quaternary Backups, however each must be a different server.
Note: For wireless devices, Accounting Servers will help you to create an Accounting Radius Server Group that will be used in Access Auth Profiles (Wireless AAA Server Profiles). Captive Portal Primary and Secondary Servers are ignored. Wireless Devices only accept Radius servers for Accounting. If you select another type, an error will occur when you try to apply the configuration to Wireless Controllers.
Advanced Settings
Advanced settings are not supported on wireless devices and will be ignored when applied to those devices.
MAC Auth
- Session Timeout Trust Radius Status - Enables/Disables the Session Timeout Trust Radius option for MAC Authenticated users. If Enabled, the switch will use the Session Timeout attribute received from the Authentication Server in an Accept-Accept message. If Disabled, the switch uses the locally configured timeout interval value (Default = Disabled).
- Session Timeout Status - Enables/Disables the Session Timeout option for MAC Authenticated users. If Enabled, the user is automatically logged out of the network based on the
configured Session Timeout Interval. (Default = Disabled).
- Session Timeout Interval - The Session Timeout value, in seconds. When the Session Timeout value is reached, the authenticated users are logged out and the MAC address
for each logged out user device is flushed. Note that when the Session Timeout Interval is changed, the new value does not apply to existing authenticated
users until the user is flushed out or when the user is authenticated again (Range = 12000 - 86400, Default = 43200).
- Inactivity Timeout Status - Enables/Disables the Inactivity Timeout option for MAC Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Inactivity Timeout Interval (Default = Disabled).
- Inactivity Timeout Interval - The Inactivity Timeout value, in seconds. Make sure the configured value is value greater than the MAC address aging
time for the switch. If the Timeout Value is exceeded, the user is not logged out of the network
if the MAC address aging time expires before the configured timeout value. Also note that when the Inactivity Timeout Interval is changed, the new value does not apply to existing authenticated
users until the user is flushed out or when the user is authenticated again.(Range = 60 - 1200, Default = 600)
- Accounting Interim Trust Radius Status - Enables/Disables the Accounting Interim Trust Radius option for MAC Authenticated users. If Enabled, the Accounting Interim value received from the
RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing
authenticated users until the user is flushed out or when the user is authenticated again.
- Accounting Interim Interval - The amount of time between each interim accounting update for MAC accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
- Syslog Accounting Server IP Address
- The IP address of the Syslog Accounting Server.
- Syslog Accounting Server UDP Port - The port used to communicate with the Syslog Accounting Server (Default = 514).
- Calling Station ID Type - The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).
802.1X
- Re-Authentication Timeout Trust Radius Status
- Enables/Disables the Session Timeout Trust Radius option for 802.1x Authenticated users. If Enabled, the Session-Timeout attribute value received from the
RADIUS server overrides the locally configured value for the switch. (Default = Disabled).
- Re-Authentication Timeout - Enables/Disables the automatic re-authentication of authenticated 802.1X users (Default = Disabled).
- Re-Authentication Interval - The amount of time the switch waits, in seconds, before triggering re-authentication
of 802.1X users. Note that when the re-authentication time interval is changed, the new value does not apply to existing authenticated
802.1X users until the user is flushed out or when the user is authenticated again. Any new
802.1X users are re-authenticated based on the current time interval setting. (Range = 600 - 7200, Default = 3600)
- Accounting Interim Trust Radius Status - Enables/Disables the Accounting Interim Trust Radius option for 802.1X authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again.
- Accounting Interim Interval - The amount of time between each interim accounting update for 802.1x accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
- Syslog Accounting Server IP Address - The IP address of the Syslog Accounting Server.
- Syslog Accounting Server UDP Port - The port used to communicate with the Syslog Accounting Server (Default = 514).
- Calling Station ID Type - The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).
Captive Portal
- Session Timeout Trust Radius Status - Enables/Disables the Session Timeout Trust Radius option for Captive Portal Authenticated users. If Enabled, the switch will use the Session Timeout attribute received from the RADIUS server in an Accept-Accept message. If Disabled, the switch to use the locally configured timeout interval value (Default = Disabled).
- Session Timeout Status - Enables/Disables the Session Timeout option for Captive Portal Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Session Timeout Interval. (Default = Disabled).
- Session Timeout Interval - The Session Timeout value, in seconds. When the Session Timeout value is reached, the authenticated users are logged out and the MAC address for each logged out user device is flushed. Note that when the Session Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again (Range = 12000 - 86400, Default = 43200).
- Inactivity Timeout Status - Enables/Disables the Inactivity Timeout option for Captive Portal Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Inactivity Timeout Interval (Default = Disabled).
- Inactivity Timeout Interval - The Inactivity Timeout value, in seconds. Make sure the configured value is value greater than the MAC address aging time for the switch. If the Timeout Value is exceeded, the user is not logged out of the network if the MAC address aging time expires before the configured timeout value. Also note that when the Inactivity Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again. (Range = 60 - 1200, Default - 600)
- Accounting Interim Trust Radius Status - Enables/Disables the Accounting Interim Trust Radius option for Captive Portal Authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again.
- Accounting Interim Interval - The amount of time between each interim accounting update for Captive Portal accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
- Syslog Accounting Server IP Address - The IP address of the Syslog Accounting Server.
- Syslog Accounting Server UDP Port - The port used to communicate with the Syslog Accounting Server (Default = 514).
- Calling Station ID Type - The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).
RADIUS
- NAS Port ID
- The RADIUS client NAS-Port attribute for authentication and accounting sessions. A text string (up to 31 characters) is used to define a NAS-Port identifier
for the NAS-Port attribute. "Default" sets the NAS-Port attribute value to the chassis/slot/port of the user. The NAS-Port attribute value specified with this command is used in Account-Request messages and in
Accounting-Request messages.
- NAS ID - The RADIUS client NAS-Identifier attribute for authentication and accounting sessions. A text string (up to 31 characters) is used to identify the switch (RADIUS client) in the NAS-Identifier attribute. "Default" sets the NAS-Identifier attribute to the system name of the switch. The NAS-Identifier attribute value specified with this command is used in both Account-Request and
Accounting-Request messages.
- Username Delimiter - The delimiter character used to separate fields within a RADIUS Server User Name.
- Password Delimiter
- The delimiter character used to separate fields within a RADIUS Server Password.
- Calling Station Delimiter - The delimiter character used to separate fields within a Calling Station ID.
- Called Station Delimiter
- The delimiter character used to separate fields within a Called Station ID.
- Username Case
- Indicates if the RADIUS Server User Name must be in Upper Case or Lower Case.
- Password Case - Indicates if the RADIUS Server Password must be in Upper Case or Lower Case.
- Calling Station ID Case - Indicates if the Calling Station ID must be in Upper Case or Lower Case.
- Called Station ID Case - Indicates if the Called Station ID must be in Upper Case or Lower Case.
Deleting a AAA Server Profile
Select a device(s)/AP Group(s) in the AAA Server Profile List and click on the Delete icon, then click OK at the confirmation prompt.