AAA Server Profile
The AAA Server Profiles are used to define specific AAA parameters that can be used in an Access Authentication Profile or Captive Portal Profile. When an AAA Server Profile is assigned to a UNP Edge port through an Access Authentication Profile, the parameter values defined in the profile will override any existing global AAA configuration for users authenticating on that port.
Use the AAA Server Profile screen to display information about all of the configured AAA Server Profiles. This screen also allows you to create, edit, and delete profiles for Access Points on the network. To access the AAA Server Profile screen, click on Network Access > Unified Access > AAA Server Profile under the “Configure” section of the OmniVista Cirrus Menu.
Creating an AAA Server Profile
The Create AAA Server Profile screen is used to configure the basic profile settings and advanced settings for Authentication Server, Accounting Server. it is also used to select the profile settings for 802.1X Authentication, MAC Authentication, Captive Portal Authentication and RADIUS Authentication for devices to which the profile is applied. To access this screen, click on Create AAA Server Profile.
The Create AAA Server Profile screen provides the following step-by-step process for creating an AAA Sever Profile:
1. Basic Settings
Profile Name - Configures the profile name.
Primary Authentication Server - Select the Primary Authentication Server and the method of Authentication for the primary server to use (802.1X, MAC, Captive Portal).
Primary Accounting Server - Select the Accounting Server and the method of Authentication for the primary server to use (802.1X, MAC, Captive Portal).
An AP device supports one, and only one, TLS-enabled RADIUS server. As a result, you cannot have one TLS-enabled RADIUS server as Primary and another TLS-enabled RADIUS server as Secondary. If you have selected a TLS-enabled RADIUS Server as the Primary Server, do not select another TLS-enabled RADIUS Server as a Secondary or subsequent backup Server.
2. Advanced Settings
Authentication Server- The Authentication Server section is used to select the Secondary, Third, and Fourth 802.1X, MAC and Captive Portal Authentication Servers to authenticate the network users.
Accounting Server- The Accounting Server section is used to select the Secondary, Third, and Fourth 802.1X, MAC and Captive Portal Accounting Servers to use for user accounting.
802.1X Authentication Options- This section is used to configure the advanced parameters of the 802.1X Authentication Protocol.
MAC Authentication Options- This section is used to configure the advanced parameters of the MAC Authentication Protocol.
Captive Portal Authentication Options- This section is used to configure the advanced parameters of the Captive Portal Authentication Protocol.
RADIUS Authentication Options- This section is used to configure the advanced parameters of the RADIUS Authentication Protocol.
1. Basic Settings
Complete the fields for the Basic Settings section as described below, then go to Step 2.
Basic Settings
This section is used to configure basic settings for the AAA Server profile.
Profile Name (required) - Specify a name to assign to the profile.
Primary Authentication Server - Select the Primary Authentication Server from the drop-down menu or click on Create Auth Server to create a new Authentication Server. You can also click on Edit to open the Edit Auth Server screen and make changes to the selected profile. Select the type of Authentication method to use from the available options. (802.1X/MAC/Captive Portal)
Primary Accounting Servers - Select the Primary Accounting Server from the drop-down menu or click on Create Auth Server to create a new Accounting Server. You can also click on Edit to open the Edit Auth Server screen and make changes to the selected profile. Select the type of Authentication method to use from the available options. (802.1X/MAC/Captive Portal)
2. Advanced Settings
Complete the Advanced Settings sections as described below.
Authentication Servers
Select an Authentication Server for the Profile.
802.1X Server - Select a Secondary, Third, and Fourth backup 802.1X Authentication Server for the Profile. Make sure you specify a different server for each backup server entry.
Captive Portal Server - Select a Secondary, Third, and Fourth backup Captive Portal Server for the Profile. Make sure you specify a different server for each backup server entry.
MAC Server - Select a Secondary, Third, and Fourth backup MAC Authentication Server for the Profile. Make sure you specify a different server for each backup server entry.
Accounting Servers
Select an Accounting Server for the Profile.
802.1X Server- Select a Secondary, Third, and Fourth backup 802.1X Accounting Server for the Profile. Make sure you specify a different server for each backup server entry.
Captive Portal Server - Select a Secondary, Third, and Fourth backup Captive Portal Accounting Server for the Profile. Make sure you specify a different server for each backup server entry.
MAC Primary - Select a Secondary, Third, and Fourth backup MAC Accounting Server for the Profile. Make sure you specify a different server for each backup server entry.
802.1X Authentication Settings
This section is used to configure the advanced parameters of the 802.1X Authentication Protocol. Complete the field values as described below.
Re-Authentication Timeout Trust Radius Status - Enables/Disables the Session Timeout Trust Radius option for 802.1X Authenticated users. If Enabled, the Session-Timeout attribute value received from the RADIUS server overrides the locally configured value for the switch. (Default = Disabled).
Re-Authentication Timeout - Enables/Disables the automatic re-authentication of authenticated 802.1X users (Default = Disabled).
Re-Authentication Interval - The amount of time the switch waits, in seconds, before triggering re-authentication of 802.1X users. Note that when the re-authentication time interval is changed, the new value does not apply to existing authenticated 802.1X users until the user is flushed out or when the user is authenticated again. Any new 802.1X users are re-authenticated based on the current time interval setting. (Range = 600 - 7200, Default = 3600)
Accounting Interim Trust Radius Status - Enables/Disables the Accounting Interim Trust Radius option for 802.1X authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again.
Accounting Interim Interval - The amount of time between each interim accounting update for 802.1X accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
Syslog Accounting Server IP Address - The IP address of the Syslog Accounting Server.
Syslog Accounting Server UDP Port - The port used to communicate with the Syslog Accounting Server (Default = 514).
Calling Station ID Type - The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).
MAC Authentication Settings
This section is used to configure the advanced parameters of the MAC Authentication Protocol. Complete the field values as described below and move to next tab.
Session Timeout Trust Radius Status - Enables/Disables the Session Timeout Trust Radius option for MAC Authenticated users. If Enabled, the switch will use the Session Timeout attribute received from the Authentication Server in an Accept-Accept message. If Disabled, the switch uses the locally configured timeout interval value (Default = Disabled).
Session Timeout Status - Enables/Disables the Session Timeout option for MAC Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Session Timeout Interval. (Default = Disabled).
Session Timeout Interval - The Session Timeout value, in seconds. When the Session Timeout value is reached, the authenticated users are logged out and the MAC address for each logged out user device is flushed. Note that when the Session Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again (Range = 12000 - 86400, Default = 43200).
Inactivity Timeout Status - Enables/Disables the Inactivity Timeout option for MAC Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Inactivity Timeout Interval (Default = Disabled).
Inactivity Timeout Interval - The Inactivity Timeout value, in seconds. Make sure the configured value is value greater than the MAC address aging time for the switch. If the Timeout Value is exceeded, the user is not logged out of the network if the MAC address aging time expires before the configured timeout value. Also note that when the Inactivity Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again.(Range = 60 - 1200, Default = 600)
Accounting Interim Trust Radius Status - Enables/Disables the Accounting Interim Trust Radius option for MAC Authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again.
Accounting Interim Interval - The amount of time between each interim accounting update for MAC accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
Syslog Accounting Server IP Address - The IP address of the Syslog Accounting Server.
Syslog Accounting Server UDP Port - The port used to communicate with the Syslog Accounting Server (Default = 514).
Calling Station ID Type - The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).
Captive Portal Authentication Settings
This section is used to configure the advanced parameters of the Captive Portal Authentication Protocol. Complete the field values as described below and move to next tab.
Session Timeout Trust Radius Status - Enables/Disables the Session Timeout Trust Radius option for Captive Portal Authenticated users. If Enabled, the switch will use the Session Timeout attribute received from the RADIUS server in an Accept-Accept message. If Disabled, the switch to use the locally configured timeout interval value (Default = Disabled).
Session Timeout Status - Enables/Disables the Session Timeout option for Captive Portal Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Session Timeout Interval. (Default = Disabled).
Session Timeout Interval - The Session Timeout value, in seconds. When the Session Timeout value is reached, the authenticated users are logged out and the MAC address for each logged out user device is flushed. Note that when the Session Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again (Range = 12000 - 86400, Default = 43200).
Inactivity Timeout Status - Enables/Disables the Inactivity Timeout option for Captive Portal Authenticated users. If Enabled, the user is automatically logged out of the network based on the configured Inactivity Timeout Interval (Default = Disabled).
Inactivity Timeout Interval - The Inactivity Timeout value, in seconds. Make sure the configured value is value greater than the MAC address aging time for the switch. If the Timeout Value is exceeded, the user is not logged out of the network if the MAC address aging time expires before the configured timeout value. Also note that when the Inactivity Timeout Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again. (Range = 60 - 1200, Default - 600)
Accounting Interim Trust Radius Status - Enables/Disables the Accounting Interim Trust Radius option for Captive Portal Authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value. Note that when the Accounting Interim Interval is changed, the new value does not apply to existing authenticated users until the user is flushed out or when the user is authenticated again.
Accounting Interim Interval - The amount of time between each interim accounting update for Captive Portal accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
Syslog Accounting Server IP Address - The IP address of the Syslog Accounting Server.
Syslog Accounting Server UDP Port - The port used to communicate with the Syslog Accounting Server (Default = 514).
Calling Station ID Type - The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).
RADIUS Server Settings
This section is used to configure the advanced parameters of the Captive Portal Authentication Protocol. Complete the field values as described below.
NAS Port ID - The RADIUS client NAS-Port attribute for authentication and accounting sessions. A text string (up to 31 characters) is used to define a NAS-Port identifier for the NAS-Port attribute. "Default" sets the NAS-Port attribute value to the chassis/slot/port of the user. The NAS-Port attribute value specified with this command is used in Account-Request messages and in Accounting-Request messages. (Default AP setting is wifi-2.4G/wifi-5G)
NAS ID - The RADIUS client NAS-Identifier attribute for authentication and accounting sessions. A text string (up to 31 characters) is used to identify the switch (RADIUS client) in the NAS-Identifier attribute. "Default" sets the NAS-Identifier attribute to the system name of the switch. The NAS-Identifier attribute value specified with this command is used in both Account-Request and Accounting-Request messages. (Default AP ID is AP WLAN name)
Username Delimiter - The delimiter character used to separate fields within a RADIUS Server User Name.
Password Delimiter - The delimiter character used to separate fields within a RADIUS Server Password.
Calling Station Delimiter - The delimiter character used to separate fields within a Calling Station ID.
Called Station Delimiter - The delimiter character used to separate fields within a Called Station ID.
Username Case - Indicates if the RADIUS Server User Name must be in Upper Case or Lower Case.
Password Case - Indicates if the RADIUS Server Password must be in Upper Case or Lower Case.
Calling Station ID Case - Indicates if the Calling Station ID must be in Upper Case or Lower Case.
Called Station ID Case - Indicates if the Called Station ID must be in Upper Case or Lower Case.
After completing the field values for Basic Settings and Advanced Settings, click on the Create AAA Server Profile button to create a new AAA Server Profile.
Editing an AAA Server Profile
You can edit the parameter values for an existing AAA Server Profile by accessing the Edit AAA Server Profile screen.
Use one of the following methods to access the Edit AAA Server Profile screen (as shown above):
Select the profile to edit by clicking on the checkbox next to the profile, click on Actions, then select Edit from the drop-down menu.
Click on the pencil icon under the “Actions” column next to the profile that you want to edit.
The following Edit AAA Server Profile screen displays. Edit the fields as described above, then click on Save.
Note: If the AAA Server Profile has been applied to any devices through an Access Auth Profile or Captive Portal Profile, you will have to re-apply the associated Access Auth Profile or Captive Portal Profile to those devices to update the profile on the device(s).
Deleting an AAA Server Profile
To delete an AAA Server Profile, use one of the following methods to select the profile you want to delete:
Select the profile to edit by clicking on the checkbox next to the profile, click on Actions, then select Delete from the drop-down menu.
Click on the trash icon under the “Actions” column next to the profile that you want to edit.
When you select the profile you want to delete, the following confirmation prompt appears:
Click on Delete to confirm that you want to delete the AAA Server Profile.
Note:
If the profile has not been associated with an Access Auth Profile or Captive Portal Profile, the update will be applied and the status displayed. Click OK to return to the AAA Server Profile Screen.
If the profile has been associated with an Access Auth Profile or Captive Portal Profile, the "Delete AAA Server Profile" confirmation prompt will appear listing any associated profiles. You must delete the AAA Server Profile from any associated profile(s) before returning to the AAA Server Profile Screen to delete the AAA Profile.
If the profile has been assigned to any devices, go to the Device Config < AAA Server Profile Screen to remove the profile from the device(s).
Display an AAA Server Profile Information
The AAA Server Profile list displays information for the configured AAA Server Profiles. To display detailed information about a specific profile, click on the Additional Information icon under the “Actions” column.
The following information is displayed for each of the AAA Server Profile:
AAA Server profile - The name assigned to the AAA Server Profile.
Authentication Server 802.1X Primary - The name of the Primary Authentication 802.1X Server for the profile.
Authentication Server MAC Primary - The name of the Primary Authentication MAC Server for the profile.
Authentication Server Captive Portal Primary - The name of the Primary Authentication Captive Portal Server for the profile.
Accounting Server 802.1X Primary - The name of the Primary Accounting 802.1X Server for the profile.
Accounting Server MAC Primary - The name of the Primary Authentication MAC Server for the profile.
Accounting Server Captive Portal Primary - The name of the Primary Authentication Captive Portal Server for the profile.
Session Timeout Trust RADIUS Status - Enables/Disables the Session Timeout Trust Radius option for Captive Portal Authenticated users.
Session Timeout Status - Enables/Disables the Session Timeout option for Captive Portal Authenticated users.
Session Timeout Interval - The Session Timeout value, in seconds. When the Session Timeout value is reached, the authenticated users are logged out and the MAC address for each logged out user device is flushed.
Inactivity Timeout Status - Enables/Disables the Inactivity Timeout option for Captive Portal Authenticated users.
Inactivity Timeout Interval - The Inactivity Timeout value, in seconds. Make sure the configured value is value greater than the MAC address aging time for the switch. If the Timeout Value is exceeded, the user is not logged out of the network if the MAC address aging time expires before the configured timeout value.
Accounting Interim Trust RADIUS Status - Enables/Disables the Accounting Interim Trust Radius option for Captive Portal Authenticated users. If Enabled, the Accounting Interim value received from the RADIUS server overrides the locally configured value.
Accounting Interim Interval - The amount of time between each interim accounting update for Captive Portal accounting sessions, in seconds. (Range = 60 - 1200, Default - 600)
Syslog Accounting Server IP Address - The IP address of the Syslog Accounting Server.
Syslog Accounting Server UDP Port - The port used to communicate with the Syslog Accounting Server (Default = 514).
Calling Station ID Type - The RADIUS Calling Station ID attribute for MAC accounting sessions (MAC - sets the Calling Station ID to the MAC address of the user. IP - sets the Calling Station ID to the IP address of the user).
NAS Port ID - The RADIUS client NAS-Port attribute for authentication and accounting sessions. A text string (up to 31 characters) is used to define a NAS-Port identifier for the NAS-Port attribute.
NAS ID - The RADIUS client NAS-Identifier attribute for authentication and accounting sessions. A text string (up to 31 characters) is used to identify the switch (RADIUS client) in the NAS-Identifier attribute.
Username Delimiter - The delimiter character used to separate fields within a RADIUS Server User Name.
Password Delimiter - The delimiter character used to separate fields within a RADIUS Server Password.
Calling Station Delimiter - The delimiter character used to separate fields within a Calling Station ID.
Called Station Delimiter - The delimiter character used to separate fields within a Called Station ID.
Username Case - Indicates if the RADIUS Server User Name must be in Upper Case or Lower Case.
Password Case - Indicates if the RADIUS Server Password must be in Upper Case or Lower Case.
Calling Station ID Case - Indicates if the Calling Station ID must be in Upper Case or Lower Case.
Called Station ID Case - Indicates if the Called Station ID must be in Upper Case or Lower Case.
Re-Authentication Timeout Trust Radius Status - Enables/Disables the Session Timeout Trust Radius option for 802.1X Authenticated users. If Enabled, the Session-Timeout attribute value received from the RADIUS server overrides the locally configured value for the switch. (Default = Disabled).
Re-Authentication Timeout - Enables/Disables the automatic re-authentication of authenticated 802.1X users (Default = Disabled).
Re-Authentication Interval - The amount of time the switch waits, in seconds, before triggering re-authentication of 802.1X users. Note that when the re-authentication time interval is changed, the new value does not apply to existing authenticated 802.1X users until the user is flushed out or when the user is authenticated again. Any new 802.1X users are re-authenticated based on the current time interval setting. (Range = 600 - 7200, Default = 3600).