AAA Policy Settings for NAI RoutingNEW!

Details about specific AAA Policy settings that are used for NAI Routing:
Policy name.
NAI Routing
Enable static Network Access Identifier (NAI) routing. Allows for an NAI Realm configuration.


NAI Routing cannot be enabled for a Local Onboarding AAA Policy, and only RADSEC enabled servers can be associated with realms.
Authentication Protocol
Authentication protocol type for the RADIUS server (PAP, CHAP, MS-CHAP, or MSCHAP2).
Call Station ID

Identifies a group of access points. The Call Station ID is often configured in a large network using an external NAC or RADIUS server. Possible values are:

  • Wired MAC: SSID
  • BSSID (APs supported on a Centralized site only)
  • Site Name
  • Site Name: Device Group Name
  • AP Serial Number


Call Station ID allows for Zone authentication with a Centralized site.
  • Site Campus
  • Site Region
  • Site City

Accounting Type
Determines when the appliance generates the accounting request. Valid values are:
  • Start-Interim-Stop — Start record after successful login by the wireless device, interim record, and an accounting stop record based on session termination.
  • Start-Stop — Start record after successful login by the wireless device user and an accounting stop record based on session termination.

The appliance sends the accounting requests to a remote RADIUS server.

Wait for client IP before starting accounting procedure
By default, the Accounting Start record is generated when the client is authenticated. Enable this setting to generate the Accounting Start record when the client acquires a non local IP address. Use this option for captive portals, which use RADIUS Accounting to learn of the client IP address before providing the landing page.
Accounting Interim Interval
The number of seconds (60-3600) between each interim update for a specific session. Default value is 60.
Operator Name
RADIUS attribute composed of the operator namespace identifier and the operator name. The combination of operator name and namespace identifier uniquely identifies the owner of an access network. The Operator Name cannot exceed 253 bytes. Valid values are:
  • None
  • Tadig — Three-character Country Code followed by a two- character alphanumeric operator ID
  • Realm — Registered Domain Name of Operator
  • E212 — Mobile Country Code or Mobile Network Code
  • OneCC — Three-character Country Code followed by 1-6 uppercase ITU Carrier Codes
  • WBAID — Used with a WBA OpenRoaming AAA policy that is automatically generated when using an OpenRoaming Hotspot.
Realm Entries


Realm entries are available when NAI Routing is selected. Up to four realm entries are supported per AAA policy and each realm supports four Authentication servers and four Accounting servers.

To add a new realm entry:

  1. Select New and provide an NAI Realm value.

    Configure the Realm Name in accordance with the user domain name.

  2. Select New to add RADIUS server settings for Authentication and Accounting servers respectively.

Use the NAI Routing in the RADIUS packet to dynamically discover the RADIUS server for the realm. Enter an asterisk (*) as the realm name and enable Peer Discovery in the RADIUS Settings. Dynamic Discovery eliminates the need for static configuration of the server IP address.

When the realm name specifies an asterisk, it matches any realm specified in the Username attribute. If the realm specifies a string, matching looks for an @ in the Username RADIUS attribute and performs an exact, case insensitive match between what comes after the @ and the name of the realm. For example, if the received Username RADIUS attribute is, then the lookup is for If the realm name starts with a /, the name is treated as a regular expression. A case insensitive regular expression match is performed using the regular expression on the value of the entire Username attribute. A trailing / indicates the end of the regular expression. A trailing / is optional.

Click to expand in new window
Realm Configured for Dynamic Discovery
Example of a realm configuration for Dynamic Discovery.