Sets a RADIUS group‘s authorization settings, such as access day/time, WLANs, etc.


A user-based VLAN is effective only if dynamic VLAN authorization is enabled for the WLAN.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000


policy [access|day|inactivity-timeout|role|session-time|ssid|time|vlan]
policy vlan <1-4094>
policy access [all|console|ssh|telnet|web]
policy access [all|console|ssh|telnet|web] {(all|console|ssh|telnet|web)}
policy day [all|fr|mo|sa|su|th|tu|we|weekdays] {(fr|mo|sa|su|th|tu|we|weekdays)}
policy inactivity-timeout <60-86400>
policy role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|
policy session-time <5-144000>
policy ssid <SSID>
policy time start <HH:MM> end <HH:MM>


Access and role settings are applicable only to a management group. They cannot be configured for a RADIUS non-management group.


policy vlan <1-4094>

vlan <1-4094>

Sets the guest RADIUS group‘s VLAN ID from 1 - 4094. The VLAN ID is representative of the shared SSID each group member (user) employs to inter-operate within the network (once authenticated by the local RADIUS server).

This option applicable to a guest user group, which has guest access and temporary permissions to the local RADIUS server. The terms of the guest access can be set uniquely for each group. Guest user groups cannot be made management groups with unique access and role permissions.

Note: Enable dynamic VLAN assignment for the WLAN for the VLAN assignment to take effect.
policy access [all|console|ssh|telnet|web] {(all|console|ssh|telnet|web)}


Configures access type for a management group. Management groups can be assigned unique access and role permissions.
  • all – Allows all access. Allows access to the console, ssh, telnet, and/or Web
  • console – Allows console access only
  • ssh – Allows SSH access only
  • telnet – Allows Telnet access only
  • web – Allows Web access only

These parameters are recursive, and you can provide access to more than one component.

policy role [device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|
role [device-provisioning-admin|helpdesk|monitor|network-admin| security-admin|superuser|system-admin|web-user-admin]
Configures the role assigned to a management RADIUS group. If a group is listed as a management group, it may also have a unique role assigned. Available roles include:
  • device-provisioning-admin – Device provisioning administrator. Has privileges to update (provision) device configuration files or firmware. Such updates run the risk of overwriting and losing a devices existing configuration unless the configuration is properly archived.
  • helpdesk – Helpdesk administrator. Performs troubleshooting tasks, such as clear statistics, reboot, create and copy tech support dumps. The helpdesk administrator can also create a guest user account and password for registration. These details can be e-mailed or sent as SMS to a mobile phone.
  • monitor – Monitor. Has read-only access to the network. Can view configuration and statistics except for secret information
  • network-admin – Network administrator. has wired and wireless access to the network. Manages layer 2, layer 3, Wireless, RADIUS server, DHCP server, and Smart RF
  • security-admin – Security administrator. Has full read/write access to the network. Modifies WLAN keys and passphrases
  • superuser – Superuser. Has full access, including halt and delete startup config
  • system-admin – System administrator. Upgrades image, boot partition, time, and manages admin access
  • web-user-admin – Web user administrator. This role is used to create guest users and credentials. The web-user-admin can access only the custom GUI screen and does not have access to the normal CLI and GUI.
policy inactivity-timeout <60-86400>
policy inactivity-timeout <60-86400> Configures the inactivity time for this RADIUS group users. If a frame is not received from a client for the specified period, then the client‘s session is removed. When defined, this value is used instead of the captive-portal inactivity timeout. If the inactivity timeout is not configured in the radius-group context or the captive-portal context, the default timeout (60 seconds) is applied.
  • <60-86400> – Specify a value from 60 - 86400 seconds. This option is disabled by default.
policy session-time <5-144000>
policy session-time <5-144000> Configures the session duration for client‘s belonging to a specific vendor group. Once configured, this is the duration for which over-the-air, on-boarded, successfully authenticated devices, belonging to a vendor group, get online access. The session is removed on completion of this duration. The vendor‘s RADIUS group takes precedence over statically configured group for device registration.
  • <5-144000> – Specify a value from 5 - 144000 minutes. This option is disabled by default.
policy ssid <SSID>

ssid <SSID>

Sets the SSID (Service Set Identifier) for this guest RADIUS group. Use this command to assign SSIDs that users within this RADIUS group are allowed to associate. Assign SSIDs of those WLANs only that the guest users need to access. This option is not available for a management group.
  • <SSID> – Specify a case-sensitive alphanumeric SSID, not exceeding 32 characters.

policy day [all|fr|mo|sa|su|th|tu|we|weekdays] {(fr|mo|sa|su|th|tu|we|weekdays)}
day [all|fr|mo|sa|su|th|tu|we|weekdays] {(fr|mo|sa|su|th|tu|we| weekdays)} Configures the days on which this guest RADIUS group members can access the local RADIUS resources. The options are recursive, and you can provide access on multiple days.
  • fr – Allows access on Friday only

  • mo – Allows access on Mondays only

  • sa – Allows access on Saturdays only

  • su – Allows access on Sundays only

  • th – Allows access on Thursdays only

  • tu – Allows access on Tuesdays only

  • we – Allows access on Wednesdays only

  • weekdays – Allows access on weekdays only (Monday to Friday

policy time start <HH:MM> end <HH:MM>

time start<HH:MM> end <HH:MM>

Configures the time when this RADIUS group can access the network

  • start <HH:MM> – Sets the start time in the HH:MM format (for example, 13:30 means the user can login only after 1:30 PM). Specifies the time users, within each listed group, can access the local RADIUS resources.
  • end <HH:MM> – Sets the end time in the HH:MM format (for example, 17:30 means the user is allowed to remain logged in until 5:30 PM). Specifies the time users, within each listed group, lose access to the local RADIUS resources.

Usage Guidelines

A management group access policy provides:

  • access details

  • user role

  • policy's start and end time

The SSID, day, and VLAN settings are not applicable to a management user group.


The following example shows a RADIUS guest group settings:

nx9500-6C8809(config-radius-group-test)#policy time start 13:30 end 17:30
nx9500-6C8809(config-radius-group-test)#policy day all
nx9500-6C8809(config-radius-group-test)#policy vlan 1
nx9500-6C8809(config-radius-group-test)#policy ssid test
nx9500-6C8809(config-radius-group-test)#show context
radius-group test
 policy vlan 1
 policy ssid test
 policy day mo
 policy day tu
 policy day we
 policy day th
 policy day fr
 policy day sa
 policy day su
 policy time start 13:30 end 17:30

The following example shows a RADIUS management group settings:

nx9500-6C8809(config-radius-group-management)#policy access console ssh telnet
nx9500-6C8809(config-radius-group-management)#policy role network-admin
nx9500-6C8809(config-radius-group-management)#policy time start 9:30 end 20:30
nx9500-6C8809(config-radius-group-management)#show context
radius-group management
 policy time start 9:30 end 20:30
 policy access console ssh telnet web
 policy role network-admin

Related Commands


Removes or modifies a RADIUS group's access settings