wlan ssid-profile

wlan ssid-profile <ssid_profile>

Creates a WLAN SSID profile.

a-max-tx-rate <rate>

Configures the specify the maximum transmission rate for the 5 GHz band.

a-min-tx-rate <rate>

Configures the specify the minimum transmission rate for the 5 GHz band.

air-time-limit <limit>

auth-server <name>

Enables the authentication survivability feature.

NOTE: The authentication survivability feature requires ClearPass Policy Manager 6.0.2 or later, and is applicable only when external servers such as RADIUS are configured for the SSID. When enabled, Instant authenticates the previously connected clients using EAP-PEAP authentication even when connectivity to ClearPass Policy Manager is temporarily lost. The Authentication survivability feature is not applicable when a RADIUS server is configured as an internal server.

bandwidth-limit

<limit>

broadcast-filter <type>

Configures broadcast filtering parameters:

You can configure any of the following filtering parameters:

captive-portal

{<type>[exclude-uplink <types>]

|external[exclude-uplink <types>|

profile <name>[exclude-uplink <types>]]}

Configures captive portal authentication for the SSID.

If the external captive profiles are created, you can specify the profile name by using the external and profile keywords and associated parameters.

disable

dmo-channel-utilization-threshold

<threshold>

Sets a threshold for DMO channel utilization. IAP sends multicast traffic over the wireless link.

Enables 802.11k roaming on the SSID profile.

The 802.11k protocol enables IAPs and clients to dynamically measure the available radio resources.

When 802.11k is enabled, IAPs and clients send neighbor reports, beacon reports, and link measurement reports to each other.

Enables 802.11r on the SSID profile.

802.11r or fast BSS transition (FT) is an IEEE standard that permits continuous connectivity across wireless devices during client mobility. Fast BSS Transition mechanism minimizes the

delay in roaming when a client transitions from one BSS to another within the

same cluster.

Fast BSS Transition is operational only if the wireless client supports 802.11r standard. If the client does

support 802.11r standard, it falls back to normal WPA2 authentication method.

Enables 802.11v based BSS transition.

dtim-period <value>

Configures the Delivery Traffic Indication Message (DTIM) interval for the SSID profile.

The DTIM interval determines how often the IAP should deliver the buffered broadcast and multicast frames to associated clients in the powersaving mode.

When configured, the client checks for buffered data on the IAP at the specified number of beacons. You can also configure a higher value for DTIM interval for power saving.

dynamic-multicast-optimization

Allows the IAP to convert multicast streams into unicast streams over the wireless link. Enabling Dynamic Multicast Optimization (DMO) enhances the quality and reliability of streaming video, while preserving the bandwidth available to the non-video clients.

NOTE: When you enable DMO on multicast SSID profiles, ensure that the DMO feature is enabled on all SSIDs configured in the same VLAN.

enable

enforce-dhcp

external-server

g-min-tx-rate <rate>

Configures the specify the minimum transmission rate for the 2.4 GHz band.

g-max-tx-rate <rate>

hide-ssid

hotspot-profile <name>

inactivity-timeout <interval>

Configures a timeout value for the inactive client sessions.

When a client session is inactive for the specified duration, the session expires and the clients are required to log in again.

index <idx>

l2-auth-failthrough

Allows the clients to use 802.1X authentication when MAC authentication fails.

leap-use-session-key

Allows the users to derive session keys for Lightweight Extensible Authentication Protocol (LEAP) authentication.

Configure this command for old printers that use dynamic WEP and if you do not want use a session key from the RADIUS Server to derive pair wise unicast keys.

local-probe-req-thresh

<threshold>

Configures a Received signal strength indication (RSSI) threshold value to limit the number of incoming probe requests.

When enabled, this command controls the system response to the broadcast probe requests sent by clients to search for the available SSIDs and ignores the probe request if required,

Allows you to set a delimiter that can be used in the MAC address string for MAC authentication.

You can specify colon or dash for delimiter. If the delimiter is not specified, the MAC address in the xxxxxxxxxxxx format is used. If you specify colon for the delimiter, the MAC addresses in the xx:xx:xx:xx:xx:xx format are used.

max-authentication-failures <limit>

Configures the maximum number of authentication failures to dynamically blacklist the users.

The users who exceed the number of authentication failures configured through this command are dynamically blacklisted.

max-clients-threshold <threshold>

Allows the IAP to select the optimal rate for sending broadcast and multicast frames based on the lowest of unicast rates across all associated clients.

When enabled, the multicast traffic can be sent at the rate of 1-24 Mbps. The default rate for sending frames for 2.4 GHz is 1 Mbps and 5.0 GHz is 6 Mbps.

Disables opportunistic key caching (OKC).

In the OKC based roaming, the AP stores one pairwise master key (PMK) per client, which is derived from last 802.1X authentication completed by the client in the network. The cached PMK is used when a client roams to a new IAP to allow faster roaming of clients.

NOTE: If the wireless client (the 802.1X supplicant) does not support this feature, a complete 802.1X authentication is required whenever it roams to a new IAP. OKC is supported on WPA2-AES Enterprise network only.

opmode <opmode>

Configures the layer-2 authentication and encryption for this SSID to protect access and ensure the privacy of the data transmitted to and from the network.

You can configure any of the following types of encryption:

opensystem, wpa2-aes, wpa2-psk-aes, wpa-tkip, wpa-psk-tkip, wpa-tkip wpa2-aes, wpa-psk-tkip wpa2-psk-aes, static-wep, dynamic-wep

per-user-bandwidth-limit <limit>

Configures a bandwidth limit in Kbps for the SSID users.

NOTE: The bandwidth contracts can also be applied per SSID user.

radius-accounting

Enables accounting for the RADIUS server authentication.

When enabled, the IAPs post accounting information to the Radius server at the specified accounting interval.

radius-accounting-mode

{user-association|user-authentication}

Configures an accounting mode for the captive portal users.

You can configure any of the following modes for accounting:

radius-interim-accounting-interval

<minutes>

Configures an interval for posting accounting information as RADIUS INTERIM accounting records to the RADIUS server.

When configured, the IAP sends interim-update messages with current user statistics to the RADIUS server at regular intervals.

radius-reauth-interval

<minutes>

rf-band <band>

server-load-balancing

set-role{{contains|ends-with|

equals|matches-regular-expression|

not-equals|starts-with}

<operand> <role>|value-of}

Assigns a user role to the clients. The first rule that matches the configured condition is applied.

You can set any of the following conditions:

set-role-by-ssid

set-role-mac-auth <mac-only>

set-role-machine-auth

<machine-only>

<user-only>

Configures a machine authentication rule.

You can assign different rights to clients based on whether their hardware device supports machine authentication.

Machine authentication is only supported on Windows devices, so this can be used to distinguish between Windows devices and other devices such as iPads.

set-role-pre-auth <role>

set-role-unrestricted

set-vlan <attribute>{{contains|ends-with|

equals|matches-regular-expression|

not-equals|starts-with}

<operand> <vlan>|value-of}

Assigns a VLAN to the clients. The first rule that matches the configured condition is applied.

You can specify any of the following conditions:

termination

Configures the EAP portion of 802.1X authentication on the IAP, instead of the RADIUS server.

When enabled, this command reduces network traffic to the external RADIUS server by terminating the authorization protocol on the IAP. By default, for 802.1X authorization, the client conducts an EAP exchange with the RADIUS server, and the IAP acts as a relay for this exchange. The IAP by itself acts as an authentication server and terminates the outer layers of the EAP protocol, only relaying the innermost layer to the external RADIUS server.

wep-key <wep-key>

wmm-background-share <share>

wmm-best-effort-share <share>

wmm-video-share <share>

wmm-voice-share <share>

work-without-uplink

wpa-passphrase <passphrase>