radius

Configures RADIUS related parameters

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

radius [dynamic-authorization|nas-identifier|nas-port-id|vlan-assignment]
radius [dynamic-authorization|nas-identifier <NAS-ID>|nas-port-id <NAS-PORT-ID>|
vlan-assignment]

Parameters

radius [dynamic-authorization|nas-identifier <NAS-ID>|nas-port-id <NAS-PORT-ID>|
vlan-assignment]
dynamic-authorization Enables support for disconnect and change of authorization messages (RFC5176). When enabled, this option extends the RADIUS protocol to support unsolicited messages from the RADIUS server. These messages allow administrators to issue change of authorization (CoA) messages, which affect session authorization, or disconnect messages (DM) that terminate a session immediately. This option is disabled by default.
nas-identifier <NAS-ID> Configures the network access server (NAS) identifier attribute, a value that identifies the access point or controller where the RADIUS messages originate. The value specified here is included in the RADIUS NAS-Identifier field for WLAN authentication and accounting packets.
  • <NAS-ID> – Specify the NAS identifier attribute (should not exceed 256 characters in length).
nas-port-id <NAS-PORT-ID> Configures the WLAN NAS port ID sent to the RADIUS server. The NAS port identifier should not exceed 256 characters.
  • <NAS-PORT-ID> – Specify the NAS port ID attribute (should not exceed 256 characters in length).

The profile database on the RADIUS server consists of user profiles for each connected NAS port. Each profile is matched to a username representing a physical port. When authorizing users, it queries the user profile database using a username representative of the physical NAS port making the connection. Set the numeric port value from 0 - 4294967295.

vlan-assignment Configures the VLAN assignment of a WLAN. RADIUS VLAN assignment is disabled by default.

When enabled, this option assigns clients to the RADIUS server specified VLANs, overriding the WLAN configuration. This option is disabled by default. If, as part of the authentication process, the RADIUS server returns a client's VLAN-ID in a RADIUS access-accept packet, and this feature is enabled, all client traffic is forwarded on that VLAN. If disabled, the RADIUS server returned VLAN-ID is ignored and the VLAN specified using the vlan/vlan-pool-member options (in the WLAN config mode) is used.

If both the RADIUS VLAN assignment and the post authentication VLAN options are enabled, then RADIUS VLAN assignment takes priority over post authentication VLAN configuration.

Examples

nx9500-6C8809(config-wlan-test)#radius vlan-assignment
nx9500-6C8809(config-wlan-test)#show context
wlan test
 ssid test
 bridging-mode local
 encryption-type none
 authentication-type none
 protected-mgmt-frames mandatory
 radius vlan-assignment
 wing-extensions wmm-load-information
 client-load-balancing probe-req-intvl 5ghz 5
 client-load-balancing band-discovery-intvl 2
 --More--
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) Disables support for disconnect and change of authorization messages. Disables the use of VLAN information received in RADIUS server responses, instead uses the VLAN provided in the WLAN configuration. Removes the NAS identifier and NAS port identifiers configured.