You are here: Home > CLI Commands > Just_CLI_Topics > aaa profile

aaa profile

aaa profile <profile>

authentication-dot1x <dot1x-profile>

authentication-mac <mac-profile>

clone <profile>

devtype-classification

dot1x-default-role <role>

dot1x-server-group <group>

download-role

enforce-dhcp

initial-role <role>

l2-auth-fail-through

mac-default-role <role>

mac-server-group <group>

max-ip ipv4 wireless <max_ipv4_users>

multiple-server-accounting

no ...

open ssid radius accounting

pan-integration

radius-accounting <group>

radius-acct-session-id-in-access

radius-interim-accounting

radius-roam-accounting

reauth-wired-user-vlan-change

rfc-3576-server <ipaddr>

user-derivation-rules <profile>

user-idle-timeout

username-from-dhcp-opt12

wired-to-wireless-roam

xml-api-server <ipaddr>

Description

This command configures the authentication for a WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection..

Syntax

Parameter

Description

Default

<profile>

Name that identifies this instance of the profile. The name must be 1-63 characters.

“default”

authentication-dot1x <dot1x-profile>

Name of the 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication profile associated with the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.. See aaa authentication dot1x.

authentication-mac <mac-profile>

Name of the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication profile associated with the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection.. See aaa authentication mac.

clone <profile>

Name of an existing AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile configuration from which parameter values are copied.

devtype-classification

The device identification feature can automatically identify different client device types and operating systems by parsing the User-Agent strings in a client’s HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. packets. When the devtype-classification parameter is enabled, the output of the show user and show user-table commands shows each client’s device type, if that client device can be identified.

enabled

dot1x-default-role <role>

Configured role assigned to the client after 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. If derivation rules are present, the role assigned to the client through these rules take precedence over the default role.

NOTE: This parameter requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

guest

dot1x-server-group <group>

Name of the server group used for 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication. See aaa server-group.

download-role

Enables role download from ClearPass Policy ManagerClearPass Policy Manager is a baseline platform for policy management, AAA, profiling, network access control, and reporting. With ClearPass Policy Manager, the network administrators can configure and manage secure network access that accommodates requirements across multiple locations and multivendor networks, regardless of device ownership and connection method. if not defined.

disabled

enforce-dhcp

When you enable this option, clients must complete a DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  exchange to obtain an IP address. Best practices are to enable this option, when you use the aaa derivation-rules command to create a rule with the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. ‑Option rule type. This parameter is disabled by default.

disabled

initial-role <role>

Role for unauthenticated users.

logon

l2-auth-fail-through

To select different authentication method if one fails.

disabled

mac-default-role <role>

Configured role assigned to the user when the device is MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authenticated. If derivation rules are present, the role assigned to the client through these rules take precedence over the default role.

NOTE: This parameter requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

guest

mac-server-group group

Name of the server group used for MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. authentication. See aaa server-group.

max-ip ipv4 wireless <max_ipv4_users>

Control the number of IPv4 addresses that can be associated to single wireless user.

Range: 1-32

WARNING: Increasing the max-ip limit may prevent the system from scaling to maximum users on all Mobility Master or managed devices. For more information, refer to Usage Guidelines for max-ip IPv4 Wireless.

2

multiple-server-accounting

If enabled, the Mobility Master sends RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting to all servers in RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting server group.

disabled

no

Negates any configured parameter.

open ssid radius accounting

Initiates RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting as soon as the user associates to an Open SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. without any authentication.

NOTE: Do not enable this parameter for wired users. If enabled, the Mobility Master sends RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting packets for unauthenticated wired users.

disabled

pan-integration

The profile requires mapping at a Palo Alto Networks (PAN) firewallFirewall is a network security system used for preventing unauthorized access to or from a private network..

disabled

radius-accounting <group>

Name of the server group used for RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting. See aaa server-group.

radius-acct-session-id-in-access

Use this to include Acct-Session-Id in RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Access-RequestRADIUS packet sent to a RADIUS server requesting authorization..

radius-interim-accounting

By default, the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting feature sends only start and stop messages to the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  accounting server. Issue the interim-radius-accounting command to allow the managed device to send Interim-Update messages with current user statistics to the server at regular intervals.

disabled

rfc-3576-server <ip-addr>

IPv4 or IPv6 address of a RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server that can send user disconnect, session timeout and CoAChange of Authorization. The RADIUS CoA is used in the AAA service framework to allow dynamic modification of the authenticated, authorized, and active subscriber sessions. messages, as described in RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3576, Dynamic Authorization Extensions to RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. . See aaa rfc-3576-server.

NOTE: This parameter requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

radius-roam-accounting

Enable the managed device to send Interim-Update messages (without user statistics) to the server, when a client roams to a different AP.

reauth-wired-user-vlan-change

When a wired user moves across VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., a trigger is created to reauthenticate this user.

Enabled

user-derivation-rules <profile>

User attribute profile from which the user role or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. is derived.

user-idle-timeout

The user idle timeout for this profile. Specify the idle timeout value for the client in seconds. A value of 0, deletes the user immediately after disassociation from the wireless network. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. timers. If this is disabled, the global settings are used.

disabled

username-from-dhcp-opt12

Enter a username from dhcp option 12 for non-802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. users.

wired-to-wireless-roam

Keeps user authenticated when roaming from the wired side of the network.

enabled

xml-api-server <ip-addr>

IP address of a configured XMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. server. See aaa xml-api.

NOTE: This parameter requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

Usage Guidelines

The AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile defines the user role for unauthenticated users, the default user role for MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. or 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, and UDRsUser Derivation Rule. UDR is a role assignment model used by the controllers running ArubaOS to assign roles and VLANs to the WLAN users based on MAC address, BSSID, DHCP-Option, encryption type, SSID, and the location of a user. For example, for an SSID with captive portal in the initial role, a UDR can be configured for scanners to provide a role based on their MAC OUI.. The AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile contains the authentication profile and authentication server group.

There are predefined AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profiles available, default-dot1x, default-mac-auth, and default-open. These profiles have the parameter values shown in the following table.

Parameter

default-dot1x

default-mac-auth

default-open

authentication-dot1x

default

N/A

N/A

authentication-mac

N/A

default

N/A

dot1x-default-role

authenticated

guest

guest

dot1x-server-group

N/A

N/A

N/A

initial-role

logon

logon

logon

mac-default-role

guest

authenticated

guest

mac-server-group

default

default

default

radius-accounting

N/A

N/A

N/A

rfc-3576-server

N/A

N/A

N/A

user-derivation-rules

N/A

N/A

N/A

wired-to-wireless roam

enabled

enabled

enabled

Usage Guidelines for max-ip IPv4 Wireless

Changing the max-ip ipv4 wireless parameter from the default value is recommended for special deployments. If your WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. has multiple device IP associated to single MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, you can increase the this value from the default value of 2.

The default value is 2 IPv4 users per wireless user. Total number of IPv4 users created can be a maximum of two times the license. If you configure 32 max-ip IPv4 users , total number of IPv4 users is 32 times the license. This can prevent the managed device from scaling to the maximum limit of IP users. Total number of IPv4 users should be scaled down to offset this issue.

Increasing the value of the max-ip ipv4 wireless parameter may increase the look-up time due to an increase in the creation and deletion of IPv4 users on the managed device. In a deployment where there is Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. and 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication implemented, increasing the number of IPv4 users can further deplete performance.

Example

The following command configures an AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. profile that assigns the employee role to clients after they are authenticated using the 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. server group radiusnet.

(host) ^[md] (config) #aaa profile corpnet

(host) ^[md] (AAA Profile "corpnet")dot1x-default-role employee

(host) ^[md] (AAA Profile "corpnet")dot1x-server-group radiusnet

Command History

Release

Modification

ArubaOS 8.5.0.0

The rfc-3576-server <ipaddr> parameter was updated to also support IPv6 address of the server.

ArubaOS 8.3.0.0

The reauth-wired-user-vlan-change parameter was introduced.

ArubaOS 8.1.0.0

A new parameter radius-roam-accounting was added.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system, except for noted parameters.

Config mode on Mobility Master.

/*]]>*/