service (wlan-config-context)

Invokes service commands applicable in the WLAN configuration mode

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

service [accounting-migration-on-roaming|allow-ht-only|allow-open-passpoint|
client-load-balancing|cred-cache|eap-mac-mode|eap-mac-multicopy|eap-mac-multikeys|eap-throttle|
enforce-pmkid-validation|key-index|monitor|radio-crypto|reauthentication|session-timeout|
tx-deauth-on-roam-detection|unresponsive-client|wpa-wpa2|show]
service accounting-migration-on-roaming
service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|clear-on-disconnect]|
eap-mac-multicopy|eap-mac-multikeys|enforce-pmkid-validation|radio-crypto|reauthentication seamless|
session-timeout mac|tx-deauth-on-roam-detection|show cli]
service eap-mac-mode [mac-always|normal]
service eap-throttle <0-254>
service key-index eap-wep-unicast <1-4>
service monitor [aaa-server|adoption|captive-portal|dhcp|dns]
service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-server]
service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>
service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|timeout <1-60>]
service wpa-wpa2 exclude-ccmp

Parameters

service accounting-migration-on-roaming
accounting-migration-on-roaming Enables migration of accounting session information and data usage details from one AP to another for roaming clients.

When a client roams from AP1 to AP2, accounting for the client stops on AP1 and is resumed only after AP2 authenticates with the accounting server. By enabling this feature, accounting session information and data usage details migrates to the new AP, and the AP does not have to re-authenticate with the accounting server.

Note: Accounting session information is supported on all WiNG APs. In case of controllers, this feature is valid only when APs use the controller as a proxy.
service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|
clear-on-disconnect]|eap-mac-multicopy|eap-mac-multikeys|enforce-pmkid-validation|radio-crypto|
reauthentication seamless|session-timeout mac|tx-deauth-on-roam-detection|show cli]
allow-ht-only Only allows clients capable of High Throughput (802.11n) data rates to associate. This option is disabled by default.
allow-open-passpoint Enables non-WPA2 security for passpoint WLANs. This option is disabled by default.

For more information on passpoint policy and configuration, see Passpoint Policy.

cred-cache [clear-on-4way-timeout| clear-on-disconnect] Clears credential cache based on the parameter passed
  • clear-on-4way-timeout – Clears cached client credentials after the 4way handshake with a client has timed out. This option is enabled by default.
  • clear-on-disconnect – Clears cached client credentials after the client has disconnected from the network. This option is disabled by default.
eap-mac-multicopy Enables sending of multiple copies of broadcast and unicast messages. This option is disabled by default.
eap-mac-multikeys Enables configuration of different key indices for MAC authentication. This option is disabled by default.
enforce-pmkid-validation Validates the Predictive real-time Pairwise Master Key Identifier (PMKID) contained in a client‘s association request against the one present in the wpa-wpa2 handshake. This option is enabled by default.

This functionality is based on the Proactive Key Caching (PKC) extension of the 802.11i EEEE standard. Whenever a wireless client successfully authenticates with a AP it receives a Pairwise Master Key (PMK). PKC allows clients to cache this PMK and reuse it for future re-authentications with the same AP. The PMK is unique for every client and is identified by the PMKID. The PMKID is a combination of the hash of the PMK, a string, the station and the MAC addresses of the AP.

radio-crypto Uses radio hardware for encryption and decryption. This is applicable only for devices using Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP) encryption mode.
reauthentication seamless Enables seamless EAP client reauthentication without disconnecting client after the session has timed out. This option is enabled by default.
session-timeout mac Enables reauthentication of MAC authenticated clients without disconnecting client after the session has timed out. This option is enabled by default.
tx-deauth-on-roam-detection Transmits a de-authentication on the air while disassociating a client because its roam is detected on the wired side. This option is disabled by default.
show cli Displays the CLI tree of the current mode. When used in the WLAN mode, this command displays the WLAN CLI structure.
service eap-mac-mode [mac-always|normal]
eap-mac-mode Configures the EAP and/or MAC authentication mode used with this WLAN. This option is enabled by default.
mac-always Enables both EAP and MAC authentication. MAC authentication is performed first, followed by EAP authentication. Clients are granted access based on the EAP authentication result. If a client does not have EAP, the MAC authentication result is used to grant access.
normal Grants client access if the client clears either EAP or MAC authentication. This is the default setting.
service eap-throttle <0-254>
eap-throttle <0-254> Enables EAP request throttling. Use this command to specify the maximum number of parallel EAP sessions allowed on this WLAN. Once this specified value is exceeded, all incoming EAP session requests are throttled. This option is enabled by default.
  • <0-254> – Specify a value from 0 - 254. This default value is 0.
service key-index eap-wep-unicast <1-4>
key-index eap-wep-unicast <1-4> Configures an index with each key during EAP authentication with WEP. This option is enabled by default.
  • <1-4> – Select a index from 1 - 4. The default value is 1.
service wpa-wpa2 exclude-ccmp
wpa-wpa2 exclude-ccmp Configures exclusion of CCMP requests when the authentication mode is set to tkip-ccmp. When enabled, it provides compatibility for client devices not compliant with tkip-ccmp. This option is disabled by default.
service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-server]
monitor Enables critical resource monitoring. In a WLAN, service monitoring enables regular monitoring of external AAA servers, captive portal servers, access point adoption, DHCP and DNS servers. When enabled, it allows administrators to notify users of a service‘s availability and make resource substitutions in case of unavailability of a service.
aaa-server Enables external AAA server failure monitoring. When enabled monitors an external RADIUS server resource‘s AAA activity and ensures its adoption and availability. This feature is disabled by default.
adoption vlan <1-4094> Enables adoption failure monitoring on an adopted AP. Also configures a adoption failover VLAN. This feature is disabled by default.
  • VLAN <1-4094> – Specify the VLAN on which clients are placed when the connectivity between the AAP and the controller is lost.

Configure a DHCP pool and gateway for the failover VLAN. Ensure the DHCP server is running on the AP. Also ensure that the DHCP pool is configured to have less lease time.

When this feature is enabled on a WLAN, it allows adopted APs to monitor their connectivity with the controller. If and when this connectivity is lost, all new clients are placed in the configured adoption failover VLAN. They are served an IP by the DHCP server running on the AP. In this situation if a client tries to access a Web URL, the AP redirects the client to a page stating that the service is down.

When the AAP‘s link to the switch is restored, clients are placed back in the WLAN‘s configured VLAN, and are served an IP from the corresponding configured DHCP server (external or on the AP/controller).

captive-portal external-server Enables external captive portal server failure monitoring. When enabled, monitors externally hosted captive portal activity, and user access to the controller or service platform managed network. This feature is disabled by default.

When enabled, this feature enables APs to display, to an externally located captive portal‘s user, the no-service page when the captive portal‘s server is not reachable.

service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>
monitor Enables DHCP and/or DNS server monitoring on this WLAN.
dhcp Enables monitoring of a specified DHCP server. When the connection to the DHCP server is lost, captive portal users automatically migrate to a pre-defined VLAN. The feature is disabled by default.

Use the crm keyword to specify the DHCP server to monitor.

dns Enables monitoring of a specified DNS server. When the connection to the DNS server is lost, captive portal users automatically migrate to a pre-defined VLAN. The feature is disabled by default.

Use the crm keyword to specify the DNS server to monitor.

crm <RESOURCE-NAME> This keyword is common to the ‘dhcp‘ and ‘dns‘ parameters.
  • crm – Identifies the DHCP and/or DNS server to monitor
    • <RESOURCE-NAME> – Specify the name of the DHCP or DNS server.

Once enabled, the CRM server monitors the DHCP/DNS server and updates their status as ‘up‘ or ‘down‘ depending on the availability of the resource. When either of these resources is down the wireless client is mapped to the failover VLAN and served with the ‘no-service‘ page through the access point.

vlan <1-4094> This keyword is common to the ‘dhcp‘ and ‘dns‘ parameters.
After specifying the DHCP/DNS sever resource, specify the failover VLAN.
  • VLAN <1-4094> – Configures the failover VLAN from 1 - 4094.

    When the DHCP server resource becomes unavailable, the device falls back to the VLAN defined here. This VLAN has a DHCP server configured that provides a pool of IP addresses with a lease time less than the main DHCP server.

    When this DNS server resource becomes unavailable, the device falls back to the VLAN defined here. This VLAN has a DNS server configured that provides DNS address resolution until the main DNS server becomes available.

service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|
timeout <1-60>]
unresponsive Configures handling of unresponsive clients
attempts <1-1000> Configures the maximum number of successive packets that failed transmission
  • <1-1000> – Specify a value from 1 - 1000. The default is 7.
ps-detect {threshold <1-1000>} Enables the detection of power-save mode clients, whose PS stats has not been updated on the AP. This option is enabled by default.
  • threshold – Optional. Configures the threshold at which power-save client detection is triggered
    • <1-1000> – Configures the number of successive unacknowledged packets received before power-save detection is triggered. Specify a value from 1 - 1000. The default is 3.
timeout <1-60> Configures the interval, in seconds, for successive packets not acknowledged by the client
  • <1-60> – Specify a value from 1 - 60 seconds. The default is 3 seconds.

Examples

nx9500-6C8809(config-wlan-test)#service allow-ht-only
nx9500-6C8809(config-wlan-test)#service monitor aaa-server
nx9500-6C8809(config-wlan-test)#service accounting-migration-on-roaming
nx9500-6C8809(config-wlan-test)#show context
wlan test
 ssid test
 vlan 1
 bridging-mode tunnel
 encryption-type none
 authentication-type none 
 service accounting-migration-on-roaming
 service monitor aaa-server
 service allow-ht-only
 controller-assisted-mobility
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode) Removes or reverts to default WLAN settings configured using the ‘service‘ command