aaa profile

aaa profile <profile>

ageout-bridge-user

authentication-dot1x <dot1x-profile>

authentication-mac <mac-profile>

clone <profile>

devtype-classification

dot1x-default-role <role>

dot1x-server-group <group>

download-role

enforce-dhcp

initial-role <role>

l2-auth-fail-through

mac-default-role <role>

mac-server-group <group>

max-ip ipv4 wireless <max_ipv4_users>

multiple-server-accounting

no ...

open ssid radius accounting

pan-integration

radius-accounting <group>

radius-acct-session-id-in-access

radius-interim-accounting

radius-roam-accounting

reauth-wired-user-vlan-change

rfc-3576-server <ipaddr>

user-derivation-rules <profile>

user-idle-timeout

username-from-dhcp-opt12

wired-to-wireless-roam

xml-api-server <ipaddr>

Description

This command configures the authentication for a WLAN.

Parameter

Description

<profile>

Name that identifies this instance of the profile. The name must be 1-63 characters.

Default: default

ageout-bridge-user

Enables ageout mechanism for wireless clients in bridge mode.

authentication-dot1x <dot1x-profile>

Name of the 802.1X authentication profile associated with the WLAN.

authentication-mac <mac-profile>

Name of the MAC authentication profile associated with the WLAN.

clone <profile>

Name of an existing AAA profile configuration from which parameter values are copied.

devtype-classification

The device identification feature can automatically identify different client device types and operating systems by parsing the User-Agent strings in a client’s HTTP packets. When the devtype-classification parameter is enabled, the output of the show user and show user-table commands shows each client’s device type, if that client device can be identified.

Default: enabled

dot1x-default-role <role>

Configured role assigned to the client after 802.1X authentication. If derivation rules are present, the role assigned to the client through these rules take precedence over the default role. This parameter requires the PEFNG license.

Default: guest

dot1x-server-group <group>

Name of the server group used for 802.1X authentication.

download-role

Enables role download from ClearPass Policy Manager if not defined.

Default: 2

enforce-dhcp

When you enable this option, clients must complete a DHCP exchange to obtain an IP address. disabled

initial-role <role>

Role for unauthenticated users.

Default: logon

l2-auth-fail-through

To select different authentication method if one fails.

Default: disabled

mac-default-role <role>

Configured role assigned to the user when the device is MAC authenticated. If derivation rules are present, the role assigned to the client through these rules take precedence over the default role. This parameter requires the PEFNG license.

Default: guest

mac-server-group group

Name of the server group used for MAC authentication.

max-ip ipv4 wireless <max_ipv4_users>

Control the number of IPv4 addresses that can be associated to single wireless user. Increasing the max-ip limit may prevent the system from scaling to maximum users on all Mobility Conductor or managed devices.

Range: 1-32

Default: 2

multiple-server-accounting

If enabled, the Mobility Conductor sends RADIUS accounting to all servers in RADIUS accounting server group.

Default: disabled

no

Negates any configured parameter.

open ssid radius accounting

Initiates RADIUS accounting as soon as the user associates to an Open SSID without any authentication. Do not enable this parameter for wired users. If enabled, the Mobility Conductor sends RADIUS accounting packets for unauthenticated wired users.

Default: disabled

pan-integration

The profile requires mapping at a Palo Alto Networks (PAN) firewall.

Default: disabled

radius-accounting <group>

Name of the server group used for RADIUS accounting.

radius-acct-session-id-in-access

Use this to include Acct-Session-Id in RADIUS Access-Request.

radius-interim-accounting

By default, the RADIUS accounting feature sends only start and stop messages to the RADIUS accounting server. Issue the interim-radius-accounting command to allow the managed device to send Interim-Update messages with current user statistics to the server at regular intervals.

Default: disabled

rfc-3576-server <ip-addr>

IPv4 or IPv6 address of a RADIUS server that can send user disconnect, session timeout and CoA messages, as described in RFC 3576, Dynamic Authorization Extensions to RADIUS. This parameter requires the PEFNG license.

radius-roam-accounting

Enable the managed device to send Interim-Update messages (without user statistics) to the server, when a client roams to a different AP.

reauth-wired-user-vlan-change

When a wired user moves across VLANs, a trigger is created to reauthenticate this user.

Default: Enabled

user-derivation-rules <profile>

User attribute profile from which the user role or VLAN is derived.

user-idle-timeout

The user idle timeout for this profile. Specify the idle timeout value for the client in seconds. A value of 0, deletes the user immediately after disassociation from the wireless network. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAA timers. If this is disabled, the global settings are used.

Default: disabled

username-from-dhcp-opt12

Enter a username from dhcp option 12 for non-802.1X users.

wired-to-wireless-roam

Keeps user authenticated when roaming from the wired side of the network.

Default: enabled

xml-api-server <ip-addr>

IP address of a configured XML API server. This parameter requires the PEFNG license.

The AAA profile defines the user role for unauthenticated users, the default user role for MAC or 802.1X authentication, and UDRs. The AAA profile contains the authentication profile and authentication server group.

There are predefined AAA profiles available, default-dot1x, default-mac-auth, and default-open. These profiles have the parameter values shown in the following table.

Parameter

default-dot1x

default-mac-auth

default-open

authentication-dot1x

default

N/A

N/A

authentication-mac

N/A

default

N/A

dot1x-default-role

authenticated

guest

guest

dot1x-server-group

N/A

N/A

N/A

initial-role

logon

logon

logon

mac-default-role

guest

authenticated

guest

mac-server-group

default

default

default

radius-accounting

N/A

N/A

N/A

rfc-3576-server

N/A

N/A

N/A

user-derivation-rules

N/A

N/A

N/A

wired-to-wireless roam

enabled

enabled

enabled

Changing the max-ip ipv4 wireless parameter from the default value is recommended for special deployments. If your WLAN has multiple device IP associated to single MAC address, you can increase the this value from the default value of 2.

The default value is 2 IPv4 users per wireless user. Total number of IPv4 users created can be a maximum of two times the license. If you configure 32 max-ip IPv4 users , total number of IPv4 users is 32 times the license. This can prevent the managed device from scaling to the maximum limit of IP users. Total number of IPv4 users should be scaled down to offset this issue.

Increasing the value of the max-ip ipv4 wireless parameter may increase the look-up time due to an increase in the creation and deletion of IPv4 users on the managed device. In a deployment where there is Captive Portal and 802.1X authentication implemented, increasing the number of IPv4 users can further deplete performance.

Example

The following command configures an AAA profile that assigns the employee role to clients after they are authenticated using the 802.1X server group radiusnet.

(host) ^[md] (config) #aaa profile corpnet

(host) ^[md] (AAA Profile "corpnet")dot1x-default-role employee

(host) ^[md] (AAA Profile "corpnet")dot1x-server-group radiusnet

Command History

Release

Modification

ArubaOS 8.7.0.0

The ageout-bridge-user parameter was introduced.

ArubaOS 8.5.0.0

The rfc-3576-server <ipaddr> parameter was updated to also support IPv6 address of the server.

ArubaOS 8.3.0.0

The reauth-wired-user-vlan-change parameter was added.

ArubaOS 8.1.0.0

The radius-roam-accounting parameter was added.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system, except for noted parameters.

Config mode on Mobility Conductor.