authentication

Configures user authentication parameters

Supported on the following devices:

Syntax

authentication [eap|protocol|server]
authentication eap wireless-client [attempts <1-10>|identity-request-retry-timeout <10-5000>|
identity-request-timeout <1-60>|retry-timeout-factor <50-200>|timeout <1-60>]
authentication protocol [chap|mschap|mschapv2|pap]
authentication server <1-12> [dscp|host|nac|nai-routing|onboard|proxy-mode|retry-timeout-factor|timeout]
authentication server <1-12> dscp <0-63>
authentication server <1-12> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|<SECRET>] 
{port <1-65535>}
authentication server <1-12> nac
authentication server <1-12> nai-routing realm-type [prefix|suffix] realm <REALM-NAME> {strip}
authentication server <1-12> onboard [centralized-controller|controller|self]
authentication server <1-12> proxy-mode [none|through-centralized-controller|
through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]
authentication server <1-12> retry-timeout-factor <50-200>
authentication server <1-12> timeout <1-60> {attempts <1-10>}

Parameters

authentication eap wireless-client [attempts <1-10>|identity-request-retry-timeout <10-5000>|
identity-request-timeout <1-60>|retry-timeout-factor <50-200>|timeout <1-60>]

eap

Configures EAP authentication parameters

wireless-client

Configures wireless client's EAP parameters

attempts <1-10>

Configures the maximum number of attempts allowed to authenticate a wireless client

  • <1-10> – Specify a value from 1 - 10. The default is 3.

identity-request-retry- timeout <10-5000>

Configures the interval, in milliseconds, after which an EAP-identity request to the wireless client is retried
  • <10-5000> – Specify a value from 10 - 5000 milliseconds. The default is 1000 milliseconds.

identity-request-timeout <1-60>

Configures the timeout, in seconds, after the last EAP-identity request message retry attempt (to allow time to manually enter user credentials)
  • <1-60> – Specify a value from 1 - 60 seconds. The default is 30 seconds.

retry-timeout-factor <50-200>

Configures the interval between successive EAP retries
  • <50-200> – Specify a value from 50 - 200. The default is 100.

A value of 100 indicates the interval between two consecutive retires remains the same irrespective of the number of retries.

A value lesser than 100 indicates the interval between two consecutive retries reduces with each successive retry.

A value greater than 100 indicates the interval between two consecutive retries increases with each successive retry.

timeout <1-60>

Configures the interval, in seconds, between successive EAP-identity request sent to a wireless client
  • <1-60> – Specify a value from 1 - 60 seconds. The default is 3 seconds.
authentication protocol [chap|mschap|mschapv2|pap]

protocol [chap|mschap| mschapv2|pap]

Configures one of the following protocols for non-EAP authentication:

  • chap – Uses Challenge Handshake Authentication Protocol (CHAP)

  • mschap – Uses Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

  • mschapv2 – Uses MS-CHAP version 2

  • pap – Uses Password Authentication Protocol (PAP). This is the default setting.

authentication server <1-12> dscp <0-63>

server <1-12>

Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.

  • <1-12> – Specify the RADIUS server index from 1 - 12.

dscp <0-63>

Configures the DSCP quality of service parameter generated in RADIUS packets. The DSCP value specifies the class of service provided to a packet, and is represented by a 6-bit parameter in the header of every IP packet.
  • <0-63> – Specify the value from 0 - 63. The default is 46.
authentication server <1-12> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|
2 <SECRET>|<SECRET>] {port <1-65535>}

server <1-12>

Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.
  • <1-12> – Specify the RADIUS server index from 1 - 12.

host <IP/HOSTNAME>

Sets the RADIUS authentication server‘s IP address or hostname. You can use a host alias to identify the device hosting the authentication server. Ensure that the host alias is existing and configured.

secret [0 <SECRET>| 2 <SECRET>| <SECRET>]

Configures the RADIUS authentication server‘s secret key. This key is used to authenticate with the RADIUS server.
  • 0 <SECRET> – Configures a clear text secret

  • 2 <SECRET> – Configures an encrypted secret

  • <SECRET> – Specify the secret key. The shared key should not exceed 127 characters.

port <1-65535>

Optional. Specifies the RADIUS authentication server‘s UDP port (this port is used to connect to the RADIUS server)
  • <1-65535> – Specify a value from 1 - 65535. The default port is 1812.
authentication server <1-12> nac

server <1-12>

Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.

  • <1-12> – Specify the RADIUS server index from 1 - 12.

nac

Enables NAC (Network Access Control) on the RADIUS authentication server identified by the <1-12> parameter.

Using NAC, the controller hardware and software grant access to specific network resources. NAC performs a user and client authorization check for resources that do not have a NAC agent. NAC verifies the client‘s compliance with the controller‘s security policy. The controller supports only the EAP/802.1x type of NAC. However, the controller also provides a means to bypass NAC authentication for client‘s that do not have NAC 802.1x support (printers, phones, PDAs, etc.).

accounting server <1-12> nai-routing realm-type [prefix|suffix] realm <REALM-NAME> {strip}

server <1-12>

Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.

  • <1-12> – Specifies the RADIUS server index from 1 - 12.

nai-routing

Enables NAI routing. When enabled, AAA servers identify clients using NAI. This option is disabled by default.

The NAI is a character string in the format of an e-mail address as either user or user@realm but it need not be a valid e-mail address or a fully qualified domain name. AAA servers identify clients using the NAI. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @realm portion, identifies a single user. Using the generic form allows all users to be configured on a single command line, irrespective of whether the users are within a realm or not. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dial up ISPs. With NAI, an ISP does not have the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers as need be.

realm-type [prefix|suffix] Configures the realm-type used for NAI authentication
  • prefix – Sets the realm prefix. For example, in the realm name ‘AC\JohnTalbot‘, the prefix is ‘AC‘ and the user name ‘JohnTalbot‘.
  • suffix – Sets the realm suffix. For example, in the realm name ‘JohnTalbot@AC.org‘ the suffix is ‘AC.org‘ and the user name is ‘JohnTalbot‘.
realm <REALM-NAME> Sets the realm information used for RADIUS authentication. The realm name should not exceed 64 characters in length. When the wireless controller or access point‘s RADIUS server receives a request for a user name the server references a table of usernames. If the user name is known, the server proxies the request to the RADIUS server.
  • <REALM-NAME> – Sets the realm used for authentication. This value is matched against the user name provided for RADIUS authentication.

    Example:

    Prefix - AC\JohnTalbot

    Suffix - JohnTalbot@AC.org

strip

Optional. Indicates the realm name must be stripped from the user name before sending it to the RADIUS server for authentication. For example, if the complete username is ‘AC\JohnTalbot‘, then with the strip parameter enabled, only the ‘JohnTalbot‘ part of the complete username is sent for authentication. This option is disabled by default.
authentication server <1-12> onboard [centralized-controller|controller|self]

server <1-12>

Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.

  • <1-12> – Specify the RADIUS server index from 1 - 12.

onboard [centralized-controller|controller|self]

Selects the onboard RADIUS server for authentication instead of an external host

  • centralized-controller – Configures the server on the centralized controller managing the network
  • controller – Configures the wireless controller, to which the AP is adopted, as the onboard wireless controller
  • self – Configures the onboard server on the device (AP or wireless controller) where the client is associated as the onboard wireless controller
authentication server <1-12> proxy-mode [none|through-centralized-controller|
through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]

server <1-12>

Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.

  • <1-12> – Sets the RADIUS server index between 1 - 12

proxy-mode [none| through-centralized-controller| through-controller| through-mint-host <HOSTNAME/MINT-ID>| through-rf-domain-manager]

Configures the mode for proxying a request

  • none – Proxying is not done. The packets are sent directly using the IP address of the device. This is the default setting.
  • through-centralized-controller – The traffic is proxied through the centralized controller that is configuring and managing the network.
  • through-controller – The traffic is proxied through the wireless controller configuring this device.
  • through-mint-host <HOSTNAME/MINT-ID> – The traffic is proxied through a neighboring MiNT device. Provide the device‘s hostname or MiNT ID.
  • through-rf-domain-manager – The traffic is proxied through the local RF Domain manager.
authentication server <1-12> retry-timeout-factor <50-200>

server <1-12>

Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.

  • <1-12> – Specify the RADIUS server index from 1 - 12.

retry-timeout-factor <50-200>

Configures the scaling of timeouts between two consecutive RADIUS authentication retries
  • <50-200> – Specify the scaling factor from 50 - 200. The default is 100.

A value of 100 indicates the interval between two consecutive retires remains the same irrespective of the number of retries.

A value lesser than 100 indicates the interval between two consecutive retries reduces with each successive retry.

A value greater than 100 indicates the interval between two consecutive retries increases with each successive retry.

authentication server <1-12> timeout <1-60> {attempts <1-10>}

server <1-12>

Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured

  • <1-12> – Specify the RADIUS server index from 1 - 12.

timeout <1-60>

Configures the timeout, in seconds, for each request sent to the RADIUS server. This is the time allowed to elapse before another request is sent to the RADIUS server. If a response is received from the RADIUS server within this time, no retry is attempted.
  • <1-60> – Specify a value from 1 - 60 seconds. The default is 3 seconds.

attempts <1-10>

Optional. In case of no response from the RADIUS authentication server, this option configures he maximum number of attempts made in contacting the server, before retiring the request
  • <1-10> – Specify a value from 1 -10. The default is 3.

Examples

nx9500-6C8809(config-aaa-policy-test)#authentication server 5 host 172.16.10.10 secret 0 test1 port 1
nx9500-6C8809(config-aaa-policy-test)#authentication server 5 timeout 10 attempts 3
nx9500-6C8809(config-aaa-policy-test)#authentication protocol chap
nx9500-6C8809(config-aaa-policy-test)#show context
aaa-policy test
 authentication server 5 host 172.16.10.20 secret 0 test1 port 1
 authentication server 5 timeout 10 attempts 3
 accounting server 2 host 172.16.10.10 secret 0 test1 port 1
 accounting server 2 timeout 2 attempts 2
 authentication protocol chap
 accounting interim interval 65
 accounting server preference auth-server-number
 attribute framed-mtu 110
nx9500-6C8809(config-aaa-policy-test)#

Related Commands

no Resets authentication server related parameters on this AAA policy