Configures user authentication parameters
authentication [eap|protocol|server]
authentication eap wireless-client [attempts <1-10>|identity-request-retry-timeout <10-5000>| identity-request-timeout <1-60>|retry-timeout-factor <50-200>|timeout <1-60>]
authentication protocol [chap|mschap|mschapv2|pap]
authentication server <1-12> [dscp|host|nac|nai-routing|onboard|proxy-mode|retry-timeout-factor|timeout]
authentication server <1-12> dscp <0-63>
authentication server <1-12> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2 <SECRET>|<SECRET>] {port <1-65535>}
authentication server <1-12> nac
authentication server <1-12> nai-routing realm-type [prefix|suffix] realm <REALM-NAME> {strip}
authentication server <1-12> onboard [centralized-controller|controller|self]
authentication server <1-12> proxy-mode [none|through-centralized-controller| through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]
authentication server <1-12> retry-timeout-factor <50-200>
authentication server <1-12> timeout <1-60> {attempts <1-10>}
authentication eap wireless-client [attempts <1-10>|identity-request-retry-timeout <10-5000>| identity-request-timeout <1-60>|retry-timeout-factor <50-200>|timeout <1-60>]
eap |
Configures EAP authentication parameters |
wireless-client |
Configures wireless client's EAP parameters |
attempts <1-10> |
Configures the maximum number of attempts allowed to authenticate a wireless client
|
identity-request-retry- timeout <10-5000> |
Configures the interval, in milliseconds, after
which an EAP-identity request to the wireless client is retried
|
identity-request-timeout <1-60> |
Configures the timeout, in seconds, after the
last EAP-identity request message retry attempt (to allow time to manually
enter user credentials)
|
retry-timeout-factor <50-200> |
Configures the interval between successive EAP
retries
A value of 100 indicates the interval between two consecutive retires remains the same irrespective of the number of retries. A value lesser than 100 indicates the interval between two consecutive retries reduces with each successive retry. A value greater than 100 indicates the interval between two consecutive retries increases with each successive retry. |
timeout <1-60> |
Configures the interval, in seconds, between
successive EAP-identity request sent to a wireless client
|
authentication protocol [chap|mschap|mschapv2|pap]
protocol [chap|mschap| mschapv2|pap] |
Configures one of the following protocols for non-EAP authentication:
|
authentication server <1-12> dscp <0-63>
server <1-12> |
Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.
|
dscp <0-63> |
Configures the DSCP quality of service parameter
generated in RADIUS packets. The DSCP value specifies the class of
service provided to a packet, and is represented by a 6-bit parameter in
the header of every IP packet.
|
authentication server <1-12> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>| 2 <SECRET>|<SECRET>] {port <1-65535>}
server <1-12> |
Configures a RADIUS authentication server. Up to 12 RADIUS servers can
be configured.
|
host <IP/HOSTNAME> |
Sets the RADIUS authentication server‘s IP address or hostname. You can use a host alias to identify the device hosting the authentication server. Ensure that the host alias is existing and configured. |
secret [0 <SECRET>| 2 <SECRET>| <SECRET>] |
Configures the RADIUS authentication server‘s
secret key. This key is used to authenticate with the RADIUS server.
|
port <1-65535> |
Optional. Specifies the RADIUS authentication
server‘s UDP port (this port is used to connect to the RADIUS server)
|
authentication server <1-12> nac
server <1-12> |
Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.
|
nac |
Enables NAC (Network Access Control) on the RADIUS authentication server identified by the <1-12> parameter. Using NAC, the controller hardware and software grant access to specific network resources. NAC performs a user and client authorization check for resources that do not have a NAC agent. NAC verifies the client‘s compliance with the controller‘s security policy. The controller supports only the EAP/802.1x type of NAC. However, the controller also provides a means to bypass NAC authentication for client‘s that do not have NAC 802.1x support (printers, phones, PDAs, etc.). |
accounting server <1-12> nai-routing realm-type [prefix|suffix] realm <REALM-NAME> {strip}
server <1-12> |
Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.
|
nai-routing |
Enables NAI routing. When enabled, AAA servers
identify clients using NAI. This option is disabled by default. The NAI is a character string in the format of an e-mail address as either user or user@realm but it need not be a valid e-mail address or a fully qualified domain name. AAA servers identify clients using the NAI. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @realm portion, identifies a single user. Using the generic form allows all users to be configured on a single command line, irrespective of whether the users are within a realm or not. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dial up ISPs. With NAI, an ISP does not have the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers as need be. |
realm-type [prefix|suffix] | Configures the realm-type used for NAI
authentication
|
realm <REALM-NAME> | Sets the realm information used for RADIUS
authentication. The realm name should not exceed 64 characters in length.
When the wireless controller or access point‘s RADIUS server receives a
request for a user name the server references a table of usernames. If the
user name is known, the server proxies the request to the RADIUS server.
|
strip |
Optional. Indicates the realm name must be stripped from the user name before sending it to the RADIUS server for authentication. For example, if the complete username is ‘AC\JohnTalbot‘, then with the strip parameter enabled, only the ‘JohnTalbot‘ part of the complete username is sent for authentication. This option is disabled by default. |
authentication server <1-12> onboard [centralized-controller|controller|self]
server <1-12> |
Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.
|
onboard [centralized-controller|controller|self] |
Selects the onboard RADIUS server for authentication instead of an external host
|
authentication server <1-12> proxy-mode [none|through-centralized-controller| through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]
server <1-12> |
Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.
|
proxy-mode [none| through-centralized-controller| through-controller| through-mint-host <HOSTNAME/MINT-ID>| through-rf-domain-manager] |
Configures the mode for proxying a request
|
authentication server <1-12> retry-timeout-factor <50-200>
server <1-12> |
Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured.
|
retry-timeout-factor <50-200> |
Configures the scaling of timeouts between two
consecutive RADIUS authentication retries
A value of 100 indicates the interval between two consecutive retires remains the same irrespective of the number of retries. A value lesser than 100 indicates the interval between two consecutive retries reduces with each successive retry. A value greater than 100 indicates the interval between two consecutive retries increases with each successive retry. |
authentication server <1-12> timeout <1-60> {attempts <1-10>}
server <1-12> |
Configures a RADIUS authentication server. Up to 12 RADIUS servers can be configured
|
timeout <1-60> |
Configures the timeout, in seconds, for each
request sent to the RADIUS server. This is the time allowed to elapse before
another request is sent to the RADIUS server. If a response is received from
the RADIUS server within this time, no retry is attempted.
|
attempts <1-10> |
Optional. In case of no response from the RADIUS
authentication server, this option configures he maximum number of attempts
made in contacting the server, before retiring the request
|
nx9500-6C8809(config-aaa-policy-test)#authentication server 5 host 172.16.10.10 secret 0 test1 port 1
nx9500-6C8809(config-aaa-policy-test)#authentication server 5 timeout 10 attempts 3
nx9500-6C8809(config-aaa-policy-test)#authentication protocol chap
nx9500-6C8809(config-aaa-policy-test)#show context aaa-policy test authentication server 5 host 172.16.10.20 secret 0 test1 port 1 authentication server 5 timeout 10 attempts 3 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 authentication protocol chap accounting interim interval 65 accounting server preference auth-server-number attribute framed-mtu 110 nx9500-6C8809(config-aaa-policy-test)#
no | Resets authentication server related parameters on this AAA policy |