wlan auth-server

Configures the external RADIUS server authentication profile.

Attributes modifier for accounting request.

Configures the accounting port number used for sending accounting records to the RADIUS server.

Default: 1813

Attributes modifier for access request.

Configures a username and password for the Policy Manager server .

Configures a ClearPass Policy Manager server used for AirGroup CoA with RFC3576 only.

The ClearPass Policy Manager server acts as a RADIUS server and asynchronously provides the Air Group parameters for the client device, including shared user, shared role and shared location.

Configures the port number for sending AirGroup CoA, instead of the standard CoA port.

Default: 5999

Configures a dead time interval for the authentication server.

When two or more authentication servers are configured on the Instant AP and a server is unavailable, the dead time configuration determines the duration for which the authentication server would be available if the server is marked as unavailable.

Range: 1–1440 minutes

Default: 5 minutes

Configures the IP address, net mask and VLAN, which will be used as source address and VLAN for RADIUS packets.

Before configuring DRP IP address, ensure that dynamic-radius-proxy is enabled, and a static virtual controller IP is configured.

Configures the IP address or the host name of the RADIUS server.

Configures a shared key communicating with the external RADIUS server.

This parameter controls the discarding of RADIUS packets when message-authenticator is not present. By default, this option is disabled.

When enabled, RADIUS packets are discarded when the access point receives Access-Request, Access-Reject, Access-Challenge, CoA-Request, or Disconnect-Request requests and the message-authenticator is not present.

When disabled, RADIUS packets are not discarded if the message-authenticator is not present.

Configures NAS identifier strings for RADIUS attribute 32, which is sent with RADIUS requests to the RADIUS server.

Configures the Virtual Controller IP address as the NAS address which is sent in data packets.

Configures the authorization port number of the external RADIUS server.

Default: 1812

The RadSec command enables secure communication between the RADIUS server and Instant AP clients by creating a TLS tunnel between the Instant AP and the server.

When RadSec is enabled, the port command can be used for specifying the communication port number for RadSec TLS connection.

Range: 1–65534

Default: 2083

Includes or excludes SHA1 cipher suites. By default, the radsec-ciphers-level parameter is not configured and set to all.

all—Includes all currently supported cipher suites.

high—Excludes SHA1 cipher suites.

Range: all

Changes the configuration to the default setting.

Configures the maximum number of authentication requests that can be sent to the server group.

Range: 1-5

Default: 3

Allows the Instant APs to process RFC 3576-compliant CoA and disconnect messages from the RADIUS server. Disconnect messages cause a user session to be terminated immediately, whereas the CoA messages modify session authorization attributes such as data filters.

Default: Disabled

When enabled, this parameter allows the Instant AP to send a status-server request to determine the actual status of the authentication or accounting server. This proves useful when there is a authentication or request time

rfc5997—RFC5997 support enabled for both authentication and accounting on the authentication server.

auth-only—RFC5997 support enabled for authentication only.

acct-only—RFC5997 support enabled for accounting only

no rfc5997—Disables RFC5997 support for the authentication server.

Default: Disabled

Changes the service type to frame for the following RADIUS 

authentication methods:

1x—Changes Service-Type to Framed for 802.1X authentication.

cp—Changes Service-Type to Framed for Captive Portal authentication.

mac—Changes Service-Type to Framed for MAC authentication.

Range: 1x, cp, mac

Configures a timeout value in second to determine when a RADIUS request must expire.

The Instant AP retries to send the request several times (as configured in the Retry count), before the user gets disconnected. For example, if the Timeout is 5 seconds, Retry counter is 3, user is disconnected after 20 seconds.

Range: 1 to 30 seconds

Default: 5 seconds