AAA Policy Settings

Details about AAA Policy settings:
Name
Policy name.
NAI Routing
Enable static Network Access Identifier (NAI) routing. Allows for an NAI Realm configuration.
Note

Note

NAI Routing cannot be enabled for a Local Onboarding AAA Policy. RADSEC and UDP enabled servers can be associated with realms. Dynamic Peer Discovery (RFC 7585) for the specific UDP Server within the realm entry must be Disabled.
Authentication Protocol
Authentication protocol type for the RADIUS server (PAP, CHAP, MS-CHAP, or MSCHAP2).
NAS IP Address
IP address of the Network Access Server (NAS).
NAS ID
A RADIUS attribute that identifies the client to a RADIUS server. The NAS-Identifier can be used instead of an IP address to identify the client.
Call Station ID

Identifies a group of access points. The Call Station ID is often configured in a large network using an external NAC or RADIUS server. Possible values are:

  • Wired MAC: SSID
  • BSSID (APs supported on a Centralized site only)
  • Site Name
  • Site Name: Device Group Name
  • AP Serial Number
Note

Note

Call Station ID allows for Zone authentication with a Centralized site.
  • Site Campus
  • Site Region
  • Site City

Accounting Type
Determines when the appliance generates the accounting request. Valid values are:
  • Start-Interim-Stop — Start record after successful login by the wireless device, interim record, and an accounting stop record based on session termination.
  • Start-Stop — Start record after successful login by the wireless device user and an accounting stop record based on session termination.

The appliance sends the accounting requests to a remote RADIUS server.

Wait for client IP before starting accounting procedure
By default, the Accounting Start record is generated when the client is authenticated. Enable this setting to generate the Accounting Start record when the client acquires a non local IP address. Use this option for captive portals, which use RADIUS Accounting to learn of the client IP address before providing the landing page.
Accounting Interim Interval
The number of seconds (60-3600) between each interim update for a specific session. Default value is 60.
RADIUS Authentication Servers Mode
Note

Note

Not applicable when NAI Routing is enabled.

Select the availability behavior for RADIUS servers. Valid values are: Failover or Load Balance.

AAA Policy supports the ability to load balance RADIUS requests across target servers in a load-balancing pool. (A minimum of two servers is required.) Each client authentication session begins and ends on a single RADIUS server. The ExtremeCloud IQ Controller validates that each server can be reached and logs an alert when a server in the pool is unreachable. The server pool is readjusted based on the status of each server in the pool.
Note

Note

Configure one server for both Accounting and Authentication purposes.
When this setting is set to Failover, a RADIUS request is sent to one server at a time:
  • The RADIUS request is sent to the Primary server (based on the RADIUS server order in the AAA policy).
  • When the Primary server is not accessible, the request is sent to the second server (the Failover server).
  • When the Primary server is accessible, the request is automatically sent to the Primary server instead of the Failover server.
    Note

    Note

    The RADIUS Status message (RFC 5997) indicates if the RADIUS server is accessible.
When this setting is set to Load Balance, a RADIUS request is sent in round robin fashion:
  • When a RADIUS server is not accessible, ExtremeCloud IQ Controller stops sending requests to that server.
  • When a server is accessible, the server is added to the pool of servers.
    Note

    Note

    The RADIUS Status message (RFC 5997) indicates if the RADIUS server is accessible.
Note

Note

There is no correlation between the RADIUS server that is used for authentication and the RADIUS server that is used for accounting.
RADIUS Accounting Servers Mode
Note

Note

Not applicable when NAI Routing is enabled.

Determines the server selection mode when accounting packets are sent to a single server. When the selected accounting server does not respond to the accounting requests, the accounting packets are sent to the next configured accounting server. The selection applies to all Services and to all sites on ExtremeCloud IQ Controller.

  • Round-Robin — The server is selected on a round-robin basis starting at the top of the list of approved servers. The first server is used until it fails, and that pattern continues down the list. When the last server fails, then the first server is used again.
  • Broadcast — RADIUS accounting packets are sent to all configured accounting servers in the AAA Policy.

    For controllers in an availability pair, the primary and backup servers must be synchronized when the WLAN Services are synchronized. (For more information, see Availability Pair Settings. If the primary server has failed resulting in a backup server being used for authentication, the controller periodically sends a "Health Check" to the primary server to see if it has recovered. If the primary server has recovered, the controller starts using the primary server for all new authentications. All authentications in progress continue to use the backup server.

Note

Note

There is no correlation between the RADIUS server that is used for authentication and the RADIUS server that is used for accounting.
Include Framed IP
Select this option to include the FRAMED-IP attribute value pair in the RADIUS ACCESS-REQ message. You can include the user IP address in the RADIUS ACCESS-REQ through the FRAMED-IP attribute. This can extend user access reporting capabilities. Framed IP is supported by External Captive Portal only. Centralized Web Authentication does not support Framed IP.
Report NAS Location
Note

Note

Not applicable when NAI Routing is enabled.
Sends Network Access Server (NAS) Location per the RFC5580 Out of Band agreement. After a NAS Location change, the new NAS Location is reported in the next RADIUS Request or RADIUS Accounting message.
Note

Note

Mid-session requests and the Initial Server Request for Location as described in RFC5580 are not supported.
The following additional attribute value pairs (AVP) used by RFC5580 are supported:
  • LOCATION-INFO
  • LOCATION-DATA
    Note

    Note

    Site Location details are reported in LOCATION-DATA. For more information on Site Location information, see Site Location.
  • BASIC-LOCATION-POLICY-RULES
  • OPERATOR-NAME (Described below)
Override Reauthentication Timeout
Enable this setting to override the reauthentication period that is returned by the RADIUS server. When reauthentication is enabled, the timeout value that is returned by the RADIUS sever is overwritten with the value that is specified here. Valid values for the Override Reauthentication Timeout are 60-300 seconds.
Block repeated failed Authentications
Enable this setting to minimize the RADIUS server load that is created by repeated authentication requests and failures. Authentication requests from a client are blocked for a configurable period of time. While blocked, RADIUS requests from the client are ignored. This setting applies to a specific WLAN. The client can continue to send authentication requests on a different WLAN.

Consecutive failed Authentications must be received at the ExtremeCloud IQ Controller in the Elapsed time for failed Authentications (Seconds) for the Quiet Timeout (Seconds) to start. After the quiet timeout expires, the client‘s RADIUS requests are forwarded to the RADIUS server again.

When enabled, the following settings display:
Consecutive failed Authentications
The number of failed authentication attempts. Valid values are 1 to 10. Default value is 5.
Elapsed time for failed Authentications (Seconds)
The threshold in seconds that determines if the client authentication requests are blocked. This is the window of time in which the failed authentication attempts occur. Valid values are 1 to 10 seconds. The default value is 3 seconds.
Quiet Timeout (Seconds)
The amount of time that authentication requests from the client are blocked before its RADIUS requests are forwarded to the RADIUS server again. Valid values are 1 to 300 seconds. The default value is 300 seconds (5 minutes).
By default, if 5 attempts are made within 3 seconds, the client authentication requests are blocked for 300 seconds (5 minutes), and RADIUS requests from that client are ignored. After 5 minutes, client RADIUS requests are forwarded to the RADIUS server again.
Note

Note

In Failover mode, the Deny list is published to the peer ExtremeCloud IQ Controller.
Operator Name
RADIUS attribute composed of the operator namespace identifier and the operator name. The combination of operator name and namespace identifier uniquely identifies the owner of an access network. The Operator Name cannot exceed 253 bytes. Valid values are:
  • Tadig — Three-character Country Code followed by a two- character alphanumeric operator ID
  • Realm — Registered Domain Name of Operator
  • E212 — Mobile Country Code or Mobile Network Code
  • OneCC — Three-character Country Code followed by 1-6 uppercase ITU Carrier Codes
  • WBAID — Used with a WBA OpenRoaming AAA policy that is automatically generated when using an OpenRoaming Hotspot.
  • None
RADIUS Authentication Servers
Note

Note

Not applicable when NAI Routing is enabled.
To add RADIUS servers for authentication, select Add. You can configure up to four RADIUS servers for authentication.
RADIUS Accounting Servers
Note

Note

Not applicable when NAI Routing is enabled.
To add RADIUS servers for accounting, select Add. You can configure up to four RADIUS servers for accounting.
Realm Entries
Note

Note

Realm entries are available when NAI Routing is selected. Up to four realm entries are supported per AAA policy and each realm supports four Authentication servers and four Accounting servers.

To add a new realm entry:

  1. Select New and provide an NAI Realm value.

    Configure the Realm Name in accordance with the user domain name.

  2. Select New to add RADIUS server settings for Authentication and Accounting servers respectively.

Allow a realm entry to reference a UDP server. Note that for this configuration, NAI Realm Routing in AAA Policy needs to be Enabledand Dynamic Peer Discovery (RFC 7585)for the specific UDP Server within the realm entry needs to be Disabled.

Use the NAI Routing in the RADIUS packet to dynamically discover the RADIUS server for the realm. Enter an asterisk (*) as the realm name and enable Peer Discovery in the RADIUS Settings. Dynamic Discovery eliminates the need for static configuration of the server IP address.

When the realm name specifies an asterisk, it matches any realm specified in the Username attribute. If the realm specifies a string, matching looks for an @ in the Username RADIUS attribute and performs an exact, case insensitive match between what comes after the @ and the name of the realm. For example, if the received Username RADIUS attribute is anonymous@example.com, then the lookup is for example.com. If the realm name starts with a /, the name is treated as a regular expression. A case insensitive regular expression match is performed using the regular expression on the value of the entire Username attribute. A trailing / indicates the end of the regular expression. A trailing / is optional.

Click to expand in new window
Realm Configured for Dynamic Discovery
Example of a realm configuration for Dynamic Discovery.
9038114-00 Rev. AB