AAA Policy Settings for NAI Routing

Details about specific AAA Policy settings that are used for NAI Routing:

Name

Policy name.

NAI Routing

Enable static Network Access Identifier (NAI) routing. Allows for an NAI Realm configuration.

Note

NAI Routing cannot be enabled for a Local Onboarding AAA Policy. RADSEC and UDP enabled servers can be associated with realms. Dynamic Peer Discovery (RFC 7585) for the specific UDP Server within the realm entry must be Disabled.

Authentication Protocol

Authentication protocol type for the RADIUS server (PAP, CHAP, MS-CHAP, or MSCHAP2).

Call Station ID

Identifies a group of access points. The Call Station ID is often configured in a large network using an external NAC or RADIUS server. Possible values are:

Wired MAC: SSID
BSSID (APs supported on a Centralized site only)
Site Name
Site Name: Device Group Name
AP Serial Number

Note

Call Station ID allows for Zone authentication with a Centralized site.

Site Campus
Site Region
Site City

Accounting Type

Determines when the appliance generates the accounting request. Valid values are:

Start-Interim-Stop — Start record after successful login by the wireless device, interim record, and an accounting stop record based on session termination.
Start-Stop — Start record after successful login by the wireless device user and an accounting stop record based on session termination.

The appliance sends the accounting requests to a remote RADIUS server.

Wait for client IP before starting accounting procedure

By default, the Accounting Start record is generated when the client is authenticated. Enable this setting to generate the Accounting Start record when the client acquires a non local IP address. Use this option for captive portals, which use RADIUS Accounting to learn of the client IP address before providing the landing page.

Accounting Interim Interval

The number of seconds (60-3600) between each interim update for a specific session. Default value is 60.

Operator Name

RADIUS attribute composed of the operator namespace identifier and the operator name. The combination of operator name and namespace identifier uniquely identifies the owner of an access network. The Operator Name cannot exceed 253 bytes. Valid values are:

None
Tadig — Three-character Country Code followed by a two- character alphanumeric operator ID
Realm — Registered Domain Name of Operator
E212 — Mobile Country Code or Mobile Network Code
OneCC — Three-character Country Code followed by 1-6 uppercase ITU Carrier Codes
WBAID — Used with a WBA OpenRoaming AAA policy that is automatically generated when using an OpenRoaming Hotspot.

Realm Entries

Note

Realm entries are available when NAI Routing is selected. Up to four realm entries are supported per AAA policy and each realm supports four Authentication servers and four Accounting servers.

To add a new realm entry:

Select New and provide an NAI Realm value.
Configure the Realm Name in accordance with the user domain name.
Select New to add RADIUS server settings for Authentication and Accounting servers respectively.

Allow a realm entry to reference a UDP server. Note that for this configuration, NAI Realm Routing in AAA Policy needs to be Enabledand Dynamic Peer Discovery (RFC 7585)for the specific UDP Server within the realm entry needs to be Disabled.

Use the NAI Routing in the RADIUS packet to dynamically discover the RADIUS server for the realm. Enter an asterisk (*) as the realm name and enable Peer Discovery in the RADIUS Settings. Dynamic Discovery eliminates the need for static configuration of the server IP address.

When the realm name specifies an asterisk, it matches any realm specified in the Username attribute. If the realm specifies a string, matching looks for an @ in the Username RADIUS attribute and performs an exact, case insensitive match between what comes after the @ and the name of the realm. For example, if the received Username RADIUS attribute is anonymous@example.com, then the lookup is for example.com. If the realm name starts with a /, the name is treated as a regular expression. A case insensitive regular expression match is performed using the regular expression on the value of the entire Username attribute. A trailing / indicates the end of the regular expression. A trailing / is optional.

Example of a realm configuration for Dynamic Discovery.