Security Commands

clear acl counters

To clear the current counters for an Access Control List (ACL), use the clear acl counters command.

clear acl counters acl_name

Syntax Description

acl_name

ACL name.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the current counters for acl1:


(Cisco Controller) >clear acl counters acl1

clear radius acct statistics

To clear the RADIUS accounting statistics on the controller, use the clear radius acc statistics command.

clear radius acct statistics [ index | all]

Syntax Description

index

(Optional) Specifies the index of the RADIUS accounting server.

all

(Optional) Specifies all RADIUS accounting servers.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the RADIUS accounting statistics:


(Cisco Controller) >clear radius acc statistics

clear tacacs auth statistics

To clear the RADIUS authentication server statistics in the controller, use the clear tacacs auth statistics command.

clear tacacs auth statistics [ index | all]

Syntax Description

index

(Optional) Specifies the index of the RADIUS authentication server.

all

(Optional) Specifies all RADIUS authentication servers.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the RADIUS authentication server statistics:


(Cisco Controller) >clear tacacs auth statistics

clear stats local-auth

To clear the local Extensible Authentication Protocol (EAP) statistics, use the clear stats local-auth command.

clear stats local-auth

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the local EAP statistics:


(Cisco Controller) >clear stats local-auth
Local EAP Authentication Stats Cleared.

clear stats radius

To clear the statistics for one or more RADIUS servers, use the clear stats radius command.

clear stats radius { auth | acct} { index | all}

Syntax Description

auth

Clears statistics regarding authentication.

acct

Clears statistics regarding accounting.

index

Specifies the index number of the RADIUS server to be cleared.

all

Clears statistics for all RADIUS servers.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the statistics for all RADIUS authentication servers:


(Cisco Controller) >clear stats radius auth all

clear stats tacacs

To clear the TACACS+ server statistics on the controller, use the clear stats tacacs command.

clear stats tacacs [ auth | athr | acct] [ index | all]

Syntax Description

auth

(Optional) Clears the TACACS+ authentication server statistics.

athr

(Optional) Clears the TACACS+ authorization server statistics.

acct

(Optional) Clears the TACACS+ accounting server statistics.

index

(Optional) Specifies index of the TACACS+ server.

all

(Optional) Specifies all TACACS+ servers.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to clear the TACACS+ accounting server statistics for index 1:


(Cisco Controller) >clear stats tacacs acct 1

config 802.11b preamble

To change the 802.11b preamble as defined in subclause 18.2.2.2 to long (slower, but more reliable) or short (faster, but less reliable), use the config 802.11b preamble command.

config 802.11b preamble { long | short}

Syntax Description

long

Specifies the long 802.11b preamble.

short

Specifies the short 802.11b preamble.

Command Default

The default 802.11b preamble value is short.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines


Note

You must reboot the Cisco Wireless LAN Controller (reset system) with save to implement this command.


This parameter must be set to long to optimize this Cisco wireless LAN controller for some clients, including SpectraLink NetLink telephones.

This command can be used any time that the CLI interface is active.

Examples

The following example shows how to change the 802.11b preamble to short:

  (Cisco Controller) >config 802.11b preamble short
  (Cisco Controller) >(reset system with save)

config aaa auth

To configure the AAA authentication search order for management users, use the config aaa auth command.

config aaa auth mgmt [ aaa_server_type1 | aaa_server_type2]

Syntax Description

mgmt

Configures the AAA authentication search order for controller management users by specifying up to three AAA authentication server types. The order that the server types are entered specifies the AAA authentication search order.

aaa_server_type

(Optional) AAA authentication server type (local , radius , or tacacs ). The local setting specifies the local database, the radius setting specifies the RADIUS server, and the tacacs setting specifies the TACACS+ server.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You can enter two AAA server types as long as one of the server types is local . You cannot enter radius and tacacs together.

Examples

The following example shows how to configure the AAA authentication search order for controller management users by the authentication server type local:

(Cisco Controller) > config aaa auth radius local

config aaa auth mgmt

To configure the order of authentication when multiple databases are configured, use the config aaa auth mgmt command.

config aaa auth mgmt [ radius | tacacs]

Syntax Description

radius

(Optional) Configures the order of authentication for RADIUS servers.

tacacs

(Optional) Configures the order of authentication for TACACS servers.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the order of authentication for the RADIUS server:

(Cisco Controller) > config aaa auth mgmt radius

The following example shows how to configure the order of authentication for the TACACS server:

(Cisco Controller) > config aaa auth mgmt tacacs

config acl apply

To apply an access control list (ACL) to the data path, use the config acl apply command.

config acl apply rule_name

Syntax Description

rule_name

ACL name that contains up to 32 alphanumeric characters.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Example

Examples

The following example shows how to apply an ACL to the data path:


(Cisco Controller) > config acl apply acl01

config acl counter

To see if packets are hitting any of the access control lists (ACLs) configured on your controller, use the config acl counter command.

config acl counter { start | stop}

Syntax Description

start

Enables ACL counters on your controller.

stop

Disables ACL counters on your controller.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

ACL counters are available only on the following controllers: 4400 series, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch.

Examples

The following example shows how to enable ACL counters on your controller:


(Cisco Controller) > config acl counter start

config acl create

To create a new access control list (ACL), use the config acl create command.

config acl create rule_name

Syntax Description

rule_name

ACL name that contains up to 32 alphanumeric characters.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.

Examples

The following example shows how to create a new ACL:


(Cisco Controller) > config acl create acl01

config acl cpu

To create a new access control list (ACL) rule that restricts the traffic reaching the CPU, use the config acl cpu command.

config acl cpu rule_name { wired | wireless | both}

Syntax Description

rule_name

Specifies the ACL name.

wired

Specifies an ACL on wired traffic.

wireless

Specifies an ACL on wireless traffic.

both

Specifies an ACL on both wired and wireless traffic.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command allows you to control the type of packets reaching the CPU.

Examples

The following example shows how to create an ACL named acl101 on the CPU and apply it to wired traffic:

(Cisco Controller) > config acl cpu acl01 wired

config acl delete

To delete an access control list (ACL), use the config acl delete command.

config acl delete rule_name

Syntax Description

rule_name

ACL name that contains up to 32 alphanumeric characters.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.

Examples

The following example shows how to delete an ACL named acl101 on the CPU:

(Cisco Controller) > config acl delete acl01

config acl layer2

To configure a Layer 2 access control list (ACL), use the config acl layer2 command.

config acl layer2 { apply acl_name | create acl_name | delete acl_name | rule { action acl_name index { permit | deny} | add acl_name index | change index acl_name old_index new_index | delete acl_name index | etherType acl_name index etherType etherTypeMask | swap index acl_name index1 index2}}

Syntax Description

apply

Applies a Layer 2 ACL to the data path.

acl_name

Layer 2 ACL name. The name can be up to 32 alphanumeric characters.

create

Creates a Layer 2 ACL.

delete

Deletes a Layer 2 ACL.

rule

Configures a Layer 2 ACL rule.

action

Configures the action for the Layer 2 ACL rule.

index

Index of the Layer 2 ACL rule.

permit

Permits rule action.

deny

Denies rule action.

add

Creates a Layer 2 ACL rule.

change index

Changes the index of the Layer 2 ACL rule.

old_index

Old index of the Layer 2 ACL rule.

new_index

New index of the Layer 2 ACL rule.

delete

Deletes a Layer 2 ACL rule.

etherType

Configures the EtherType of a Layer 2 ACL rule.

etherType

EtherType of a Layer 2 ACL rule. EtherType is used to indicate the protocol that is encapsulated in the payload of an Ethernet frame. The range is a hexadecimal value from 0x0 to 0xffff.

etherTypeMask

Netmask of the EtherType. The range is a hexadecimal value from 0x0 to 0xffff.

swap index

Swaps the index values of two rules.

index1 index2

Index values of two Layer 2 ACL rules.

Command Default

The Cisco WLC does not have any Layer2 ACLs.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Command History

Release Modification

7.5

This command was introduced.

Usage Guidelines

You can create a maximum of 16 rules for a Layer 2 ACL.

You can create a maximum of 64 Layer 2 ACLs on a Cisco WLC.

A maximum of 16 Layer 2 ACLs are supported per access point because an access point supports a maximum of 16 WLANs.

Ensure that the Layer 2 ACL names do not conflict with the FlexConnect ACL names because an access point does not support the same Layer 2 and Layer 3 ACL names.

Examples

The following example shows how to apply a Layer 2 ACL:

 (Cisco Controller) >config acl layer2 apply acl_l2_1

config acl rule

To configure ACL rules, use the config acl rule command.

config acl rule { action rule_name rule_index { permit | deny} | 
 add rule_name rule_index | 
 change index rule_name old_index new_index | 
 delete rule_name rule_index | 
 destination address rule_name rule_index ip_address netmask | 
 destination port range rule_name rule_index start_port end_port |
 direction rule_name rule_index { in | out | any} | 
 dscp rule_name rule_index dscp | 
 protocol rule_name rule_index protocol | 
 source address rule_name rule_index ip_address netmask | 
 source port range rule_name rule_index start_port end_port |
 swap index rule_name index_1 index_2}

Syntax Description

action

Configures whether to permit or deny access.

rule_name

ACL name that contains up to 32 alphanumeric characters.

rule_index

Rule index between 1 and 32.

permit

Permits the rule action.

deny

Denies the rule action.

add

Adds a new rule.

change

Changes a rule’s index.

index

Specifies a rule index.

delete

Deletes a rule.

destination address

Configures a rule’s destination IP address and netmask.

destination port range

Configure a rule's destination port range.

ip_address

IP address of the rule.

netmask

Netmask of the rule.

start_port

Start port number (between 0 and 65535).

end_port

End port number (between 0 and 65535).

direction

Configures a rule’s direction to in, out, or any.

in

Configures a rule’s direction to in.

out

Configures a rule’s direction to out.

any

Configures a rule’s direction to any.

dscp

Configures a rule’s DSCP.

dscp

Number between 0 and 63, or any .

protocol

Configures a rule’s DSCP.

protocol

Number between 0 and 255, or any .

source address

Configures a rule’s source IP address and netmask.

source port range

Configures a rule’s source port range.

swap

Swaps two rules’ indices.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN pre-authentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.

Examples

The following example shows how to configure an ACL to permit access:

(Cisco Controller) > config acl rule action lab1 4 permit

config auth-list add

To create an authorized access point entry, use the config auth-list add command.

config auth-list add { mic | ssc} AP_MAC [ AP_key]

Syntax Description

mic

Specifies that the access point has a manufacture-installed certificate.

ssc

Specifies that the access point has a self-signed certificate.

AP_MAC

MAC address of a Cisco lightweight access point.

AP_key

(Optional) Key hash value that is equal to 20 bytes or 40 digits.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to create an authorized access point entry with a manufacturer-installed certificate on MAC address 00:0b:85:02:0d:20:


(Cisco Controller) > config auth-list add 00:0b:85:02:0d:20

config auth-list ap-policy

To configure an access point authorization policy, use the config auth-list ap-policy command.

config auth-list ap-policy { authorize-ap { enable | disable} | ssc { enable | disable}}

Syntax Description

authorize-ap enable

Enables the authorization policy.

authorize-ap disable

Disables the AP authorization policy.

ssc enable

Allows the APs with self-signed certificates to connect.

ssc disable

Disallows the APs with self-signed certificates to connect.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable an access point authorization policy:


(Cisco Controller) > config auth-list ap-policy authorize-ap enable

The following example shows how to enable an access point with a self-signed certificate to connect:


(Cisco Controller) > config auth-list ap-policy ssc disable

config auth-list delete

To delete an access point entry, use the config auth-list delete command.

config auth-list delete AP_MAC

Syntax Description

AP_MAC

MAC address of a Cisco lightweight access point.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to delete an access point entry for MAC address 00:1f:ca:cf:b6:60:


(Cisco Controller) > config auth-list delete 00:1f:ca:cf:b6:60

config advanced eap

To configure advanced extensible authentication protocol (EAP) settings, use the config advanced eap command.

config advanced eap { bcast-key-interval seconds | eapol-key-timeout timeout | eapol-key-retries retries | identity-request-timeout timeout | identity-request-retries retries | key-index index | max-login-ignore-identity-response
{ enable | disable} request-timeout timeout | request-retries retries} }

Syntax Description

bcast-key-interval seconds

Specifies the EAP-broadcast key renew interval time in seconds.

The range is from 120 to 86400 seconds.

eapol-key-timeout timeout

Specifies the amount of time (200 to 5000 milliseconds) that the controller waits before retransmitting an EAPOL (WPA) key message to a wireless client using EAP or WPA/WPA-2 PSK.

The default value is 1000 milliseconds.

eapol-key-retries retries

Specifies the maximum number of times (0 to 4 retries) that the controller retransmits an EAPOL (WPA) key message to a wireless client.

The default value is 2.

identity-request-
timeout timeout

Specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting an EAP Identity Request message to a wireless client.

The default value is 30 seconds.

identity-request-
retries

Specifies the maximum number of times (0 to 4 retries) that the controller retransmits an EAPOL (WPA) key message to a wireless client.

The default value is 2.

key-index index

Specifies the key index (0 or 3) used for dynamic wired equivalent privacy (WEP).

max-login-ignore-
identity-response

When enabled, this command ignores the limit set for the number of devices that can be connected to the controller with the same username using 802.1xauthentication. When disabled, this command limits the number of devices that can be connected to the controller with the same username. This option is not applicable for Web auth user.

Use the command config netuser maxUserLogin to set the limit of maximum number of devices per same username

enable

Ignores the same username reaching the maximum EAP identity response.

disable

Checks the same username reaching the maximum EAP identity response.

request-timeout

For EAP messages other than Identity Requests or EAPOL (WPA) key messages, specifies the amount of time (1 to 120 seconds) that the controller waits before retransmitting the message to a wireless client.

The default value is 30 seconds.

request-retries

(Optional) For EAP messages other than Identity Requests or EAPOL (WPA) key messages, specifies the maximum number of times (0 to 20 retries) that the controller retransmits the message to a wireless client.

The default value is 2.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the key index used for dynamic wired equivalent privacy (WEP):


(Cisco Controller) > config advanced eap key-index 0

config advanced timers auth-timeout

To configure the authentication timeout, use the config advanced timers auth-timeout command.

config advanced timers auth-timeout seconds

Syntax Description

seconds

Authentication response timeout value in seconds between 10 and 600.

Command Default

The default authentication timeout value is 10 seconds.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the authentication timeout to 20 seconds:

(Cisco Controller) >config advanced timers auth-timeout 20

config advanced timers eap-timeout

To configure the Extensible Authentication Protocol (EAP) expiration timeout, use the config advanced timers eap-timeout command.

config advanced timers eap-timeout seconds

Syntax Description

seconds

EAP timeout value in seconds between 8 and 120.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the EAP expiration timeout to 10 seconds:

(Cisco Controller) >config advanced timers eap-timeout 10

config advanced timers eap-identity-request-delay

To configure the advanced Extensible Authentication Protocol (EAP) identity request delay in seconds, use the config advanced timers eap-identity-request-delay command.

config advanced timers eap-identity-request-delay seconds

Syntax Description

seconds

Advanced EAP identity request delay in number of seconds between 0 and 10.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the advanced EAP identity request delay to 8 seconds:

(Cisco Controller) >config advanced timers eap-identity-request-delay 8

config cts sxp

To configure Cisco TrustSec SXP (CTS) connections on the controller, use the config cts sxp command.

config cts sxp { enable | disable | connection { delete | peer} | default password password | retry period time-in-seconds}

Syntax Description

enable

Enables CTS connections on the controller.

disable

Disables CTS connections on the controller.

connection

Configures CTS connection on the controller.

delete

Deletes the CTS connection on the controller.

peer

Configures the next hop switch with which the controller is connected.

ip-address

Only IPv4 address of the peer.

default password

Configures the default password for MD5 authentication of SXP messages.

password

Default password for MD5 Authentication of SXP messages. The password should contain a minimum of six characters.

retry period

Configures the SXP retry period.

time-in-seconds

Time after which a CTS connection should be again tried for after a failure to connect.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

For release 8.0, only IPv4 is supported for TrustSec SXP configuration.

Examples

The following example shows how to enable CTS on the controller:


(Cisco Controller) > config cts sxp enable

The following example shows how to configure a peer for a CTS connection:

> config cts sxp connection peer 209.165.200.224

config database size

To configure the local database, use the config database size command.

config database size count

Syntax Description

count

Database size value between 512 and 2040

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Use the show database command to display local database configuration.

Examples

The following example shows how to configure the size of the local database:


(Cisco Controller) > config database size 1024

config dhcp opt-82 format

To configure the DHCP option 82 format, use the config dhcp opt-82 format command.

config dhcp opt-82 format{ binary | ascii}

Syntax Description

binary

Specifies the DHCP option 82 format as binary.

ascii

Specifies the DHCP option 82 format as ASCII.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the format of DHCP option 82 payload:

(Cisco Controller) > config dhcp opt-82 format binary

config dhcp opt-82 remote-id

To configure the format of the DHCP option 82 payload, use the config dhcp opt-82 remote-id command.

config dhcp opt-82 remote-id { ap_mac | ap_mac:ssid | ap-ethmac | apname:ssid | ap-group-name | flex-group-name | ap-location | apmac-vlan-id | apname-vlan-id | ap-ethmac-ssid}

Syntax Description

ap_mac

Specifies the radio MAC address of the access point to the DHCP option 82 payload.

ap_mac:ssid

Specifies the radio MAC address and SSID of the access point to the DHCP option 82 payload.

ap-ethmac

Specifies the Ethernet MAC address of the access point to the DHCP option 82 payload.

apname:ssid

Specifies the AP name and SSID of the access point to the DHCP option 82 payload.

ap-group-name

Specifies the AP group name to the DHCP option 82 payload.

flex-group-name

Specifies the FlexConnect group name to the DHCP option 82 payload.

ap-location

Specifies the AP location to the DHCP option 82 payload.

apmac-vlan-id

Specifies the radio MAC address of the access point and the VLAN ID to the DHCP option 82 payload.

apname-vlan-id

Specifies the AP name and its VLAN ID to the DHCP option 82 payload.

ap-ethmac-ssid

Specifies the Ethernet MAC address of the access point and the SSID to the DHCP option 82 payload.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the remote ID of DHCP option 82 payload:

(Cisco Controller) > config dhcp opt-82 remote-id apgroup1

config exclusionlist

To create or delete an exclusion list entry, use the config exclusionlist command.

config exclusionlist { add MAC [ description] | delete MAC | description MAC [ description]}

Syntax Description

config exclusionlist

Configures the exclusion list.

add

Creates a local exclusion-list entry.

delete

Deletes a local exclusion-list entry

description

Specifies the description for an exclusion-list entry.

MAC

MAC address of the local Excluded entry.

description

(Optional) Description, up to 32 characters, for an excluded entry.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to create a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:

(Cisco Controller) > config exclusionlist add xx:xx:xx:xx:xx:xx lab

The following example shows how to delete a local exclusion list entry for the MAC address xx:xx:xx:xx:xx:xx:

(Cisco Controller) > config exclusionlist delete xx:xx:xx:xx:xx:xx lab

config ldap

To configure the Lightweight Directory Access Protocol (LDAP) server settings, use the config ldap command.

config ldap { add | delete | enable | disable | retransmit-timeout | retry | user | simple-bind} index

config ldap add index server_ip_address port user_base user_attr user_type[ ]

config ldap retransmit-timeout index retransmit-timeout

config ldap retry attempts

config ldap user { attr index user-attr | base index user-base | typeindex user-type}

config ldap simple-bind { anonymous index | authenticated index username password}

Syntax Description

add

Specifies that an LDAP server is being added.

delete

Specifies that an LDAP server is being deleted.

enable

Specifies that an LDAP serve is enabled.

disable

Specifies that an LDAP server is disabled.

retransmit-timeout

Changes the default retransmit timeout for an LDAP server.

retry

Configures the retry attempts for an LDAP server.

user

Configures the user search parameters.

simple-bind

Configures the local authentication bind method.

anonymous

Allows anonymous access to the LDAP server.

authenticated

Specifies that a username and password be entered to secure access to the LDAP server.

index

LDAP server index. The range is from 1 to 17.

server_ip_address

IP address of the LDAP server.

port

Port number.

user_base

Distinguished name for the subtree that contains all of the users.

user_attr

Attribute that contains the username.

user_type

ObjectType that identifies the user.

retransmit-timeout

Retransmit timeout for an LDAP server. The range is from 2 to 30.

attempts

Number of attempts that each LDAP server is retried.

attr

Configures the attribute that contains the username.

base

Configures the distinguished name of the subtree that contains all the users.

type

Configures the user type.

username

Username for the authenticated bind method.

password

Password for the authenticated bind method.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable LDAP server index 10:


(Cisco Controller) > config ldap enable 10

config local-auth active-timeout

To specify the amount of time in which the controller attempts to authenticate wireless clients using local Extensible Authentication Protocol (EAP) after any pair of configured RADIUS servers fails, use the config local-auth active-timeout command.

config local-auth active-timeout timeout

Syntax Description

timeout

Timeout measured in seconds. The range is from 1 to 3600.

Command Default

The default timeout value is 100 seconds.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify the active timeout to authenticate wireless clients using EAP to 500 seconds:


(Cisco Controller) > config local-auth active-timeout 500

config local-auth eap-profile

To configure local Extensible Authentication Protocol (EAP) authentication profiles, use the config local-auth eap-profile command.

config local-auth eap-profile {[ add | delete] profile_name | cert-issuer { cisco | vendor} | method method local-cert { enable | disable} profile_name | method method client-cert { enable | disable} profile_name | method method peer-verify ca-issuer { enable | disable} | method method peer-verify cn-verify{ enable | disable} | method method peer-verify date-valid { enable | disable}

Syntax Description

add

(Optional) Specifies that an EAP profile or method is being added.

delete

(Optional) Specifies that an EAP profile or method is being deleted.

profile_name

EAP profile name (up to 63 alphanumeric characters). Do not include spaces within a profile name.

cert-issuer

(For use with EAP-TLS, PEAP, or EAP-FAST with certificates) Specifies the issuer of the certificates that will be sent to the client. The supported certificate issuers are Cisco or a third-party vendor.

cisco

Specifies the Cisco certificate issuer.

vendor

Specifies the third-party vendor.

method

Configures an EAP profile method.

method

EAP profile method name. The supported methods are leap, fast, tls, and peap.

local-cert

(For use with EAP-FAST) Specifies whether the device certificate on the controller is required for authentication.

enable

Specifies that the parameter is enabled.

disable

Specifies that the parameter is disabled.

client-cert

(For use with EAP-FAST) Specifies whether wireless clients are required to send their device certificates to the controller in order to authenticate.

peer-verify

Configures the peer certificate verification options.

ca-issuer

(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the incoming certificate from the client is to be validated against the Certificate Authority (CA) certificates on the controller.

cn-verify

(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the common name (CN) in the incoming certificate is to be validated against the CA certificates’ CN on the controller.

date-valid

(For use with EAP-TLS or EAP-FAST with certificates) Specifies whether the controller is to verify that the incoming device certificate is still valid and has not expired.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to create a local EAP profile named FAST01:


(Cisco Controller) > config local-auth eap-profile add FAST01

The following example shows how to add the EAP-FAST method to a local EAP profile:

(Cisco Controller) > config local-auth eap-profile method add fast FAST01

The following example shows how to specify Cisco as the issuer of the certificates that will be sent to the client for an EAP-FAST profile:

(Cisco Controller) > config local-auth eap-profile method fast cert-issuer cisco

The following example shows how to specify that the incoming certificate from the client be validated against the CA certificates on the controller:

(Cisco Controller) > config local-auth eap-profile method fast peer-verify ca-issuer enable

config local-auth method fast

To configure an EAP-FAST profile, use the config local-auth method fast command.

config local-auth method fast { anon-prov [ enable | disable] | authority-id auth_id pac-ttl days | server-key key_value}

Syntax Description

anon-prov

Configures the controller to allow anonymous provisioning, which allows PACs to be sent automatically to clients that do not have one during Protected Access Credentials (PAC) provisioning.

enable

(Optional) Specifies that the parameter is enabled.

disable

(Optional) Specifies that the parameter is disabled.

authority-id

Configures the authority identifier of the local EAP-FAST server.

auth_id

Authority identifier of the local EAP-FAST server (2 to 32 hexadecimal digits).

pac-ttl

Configures the number of days for the Protected Access Credentials (PAC) to remain viable (also known as the time-to-live [TTL] value).

days

Time-to-live value (TTL) value (1 to 1000 days).

server-key

Configures the server key to encrypt or decrypt PACs.

key_value

Encryption key value (2 to 32 hexadecimal digits).

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the controller to allows anonymous provisioning:

(Cisco Controller) > config local-auth method fast anon-prov disable

The following example shows how to configure the authority identifier 0125631177 of the local EAP-FAST server:

(Cisco Controller) > config local-auth method fast authority-id 0125631177

The following example shows how to configure the number of days to 10 for the PAC to remain viable:

(Cisco Controller) > config local-auth method fast pac-ttl 10

config local-auth user-credentials

To configure the local Extensible Authentication Protocol (EAP) authentication database search order for user credentials, use the config local-auth user credentials command.

config local-auth user-credentials { local [ ldap] | ldap [ local] }

Syntax Description

local

Specifies that the local database is searched for the user credentials.

ldap

(Optional) Specifies that the Lightweight Directory Access Protocol (LDAP) database is searched for the user credentials.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

The order of the specified database parameters indicate the database search order.

Examples

The following example shows how to specify the order in which the local EAP authentication database is searched:

(Cisco Controller) > config local-auth user credentials local lda

In the above example, the local database is searched first and then the LDAP database.

config ipv6 acl

To create or delete an IPv6 ACL on the Cisco wireless LAN controller, apply ACL to data path, and configure rules in the IPv6 ACL, use the config ipv6 acl command.

config ipv6 acl [ apply | cpu | create | delete | rule]

config ipv6 acl apply name

config ipv6 acl cpu { name | none}

config ipv6 acl create name

config ipv6 acl delete name

config ipv6 acl rule [ action | add | change | delete | destination | direction | dscp | protocol | source | swap ]

config ipv6 acl rule action name index { permit | deny}

config ipv6 acl rule add name index

config ipv6 acl rule change index name old_index new_index

config ipv6 acl rule delete name index

config ipv6 acl rule destination { address name index ip_address prefix-len | port range name index }

config ipv6 acl rule direction name index { in | out | any}

config ipv6 acl rule dscp name dscp

config ipv6 acl rule protocol name index protocol

config ipv6 acl rule source { address name index ip_address prefix-len | port range name index start_port end_port}

config ipv6 acl rule swap index name index_1index_2

Syntax Description

apply name

Applies an IPv6 ACL. An IPv6 ACL can contain up to 32 alphanumeric characters.

cpu name

Applies the IPv6 ACL to the CPU.

cpu none

Configure none if you wish not to have a IPV6 ACL.

create

Creates an IPv6 ACL.

delete

Deletes an IPv6 ACL.

rule ( action) ( name) ( index)

Configures rules in the IPv6 ACL to either permit or deny access. IPv6 ACL name can contains up to 32 alphanumeric characters and IPv6 ACL rule index can be between 1 and 32.

{ permit| deny}

Permit or deny the IPv6 rule action.

add name index

Adds a new rule and rule index.

change name old_index new_index

Changes a rule’s index.

delete name index

Deletes a rule and rule index.

destination address name index ip_addr prefix-len

Configures a rule’s destination IP address and prefix length (between 0 and 128).

destination port name index

Configure a rule's destination port range. Enter IPv6 ACL name and set an rule index for it.

direction name index { in| out| any}

Configures a rule’s direction to in, out, or any.

dscp name index dscp

Configures a rule’s DSCP. For rule index of DSCP, select a number between 0 and 63, or any .

protocol name index protocol

Configures a rule’s protocol. Enter a name and set an index between 0 and 255 or any

source address name index ip_address prefix-len

Configures a rule’s source IP address and netmask.

source port range name index start_port end_port

Configures a rule’s source port range.

swap index name index_1 index_2

Swap’s two rules’ indices.

Command Default

After adding an ACL, the config ipv6 acl cpu is by default configured as enabled.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6..
8.0 This command was updated by adding cpu and none keywords and the ipv6_acl_name variable.

Usage Guidelines

For a Cisco 2100 Series Wireless LAN Controller, you must configure a preauthentication ACL on the wireless LAN for the external web server. This ACL should then be set as a wireless LAN preauthentication ACL under Web Policy. However, you do not need to configure any preauthentication ACL for Cisco 4400 Series Wireless LAN Controllers.

Examples

The following example shows how to configure an IPv6 ACL to permit access:

(Cisco Controller) >config ipv6 acl rule action lab1 4 permit

Examples

The following example shows how to configure an interface ACL:

(Cisco Controller) > config ipv6 interface acl management IPv6-Acl

config netuser add

To add a guest user on a WLAN or wired guest LAN to the local user database on the controller, use the config netuser add command.

config netuser add username password { wlan wlan_id | guestlan guestlan_id} userType guest lifetime lifetime description description

Syntax Description

username

Guest username. The username can be up to 50 alphanumeric characters.

password

User password. The password can be up to 24 alphanumeric characters.

wlan

Specifies the wireless LAN identifier to associate with or zero for any wireless LAN.

wlan_id

Wireless LAN identifier assigned to the user. A zero value associates the user with any wireless LAN.

guestlan

Specifies the guest LAN identifier to associate with or zero for any wireless LAN.

guestlan_id

Guest LAN ID.

userType

Specifies the user type.

guest

Specifies the guest for the guest user.

lifetime

Specifies the lifetime.

lifetime

Lifetime value (60 to 259200 or 0) in seconds for the guest user.

Note 

A value of 0 indicates an unlimited lifetime.

description

Short description of user. The description can be up to 32 characters enclosed in double-quotes.

Command Default

None

Command History

Release Modification

7.6

This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Local network usernames must be unique because they are stored in the same database.

Examples

The following example shows how to add a permanent username Jane to the wireless network for 1 hour:


(Cisco Controller) > config netuser add jane able2 1 wlan_id 1 userType permanent

The following example shows how to add a guest username George to the wireless network for 1 hour:


(Cisco Controller) > config netuser add george able1 guestlan 1 3600

config netuser delete

To delete an existing user from the local network, use the config netuser delete command.

config netuser delete username

Syntax Description

username

Network username. The username can be up to 24 alphanumeric characters.

Command Default

None

Command History

Release Modification

7.6

This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

Local network usernames must be unique because they are stored in the same database.

Examples

The following example shows how to delete an existing username named able1 from the network:


(Cisco Controller) > config netuser delete able1
Deleted user able1

config netuser description

To add a description to an existing net user, use the config netuser description command.

config netuser description username description

Syntax Description

username

Network username. The username can contain up to 24 alphanumeric characters.

description

(Optional) User description. The description can be up to 32 alphanumeric characters enclosed in double quotes.

Command Default

None

Command History

Release Modification

7.6

This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to add a user description “HQ1 Contact” to an existing network user named able 1:


(Cisco Controller) > config netuser description able1 “HQ1 Contact”

config network bridging-shared-secret

To configure the bridging shared secret, use the config network bridging-shared-secret command.

config network bridging-shared-secret shared_secret

Syntax Description

shared_secret

Bridging shared secret string. The string can contain up to 10 bytes.

Command Default

The bridging shared secret is enabled by default.

Command History

Release Modification

7.6

This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

This command creates a secret that encrypts backhaul user data for the mesh access points that connect to the switch.

The zero-touch configuration must be enabled for this command to work.

Examples

The following example shows how to configure the bridging shared secret string “shhh1”:


(Cisco Controller) > config network bridging-shared-secret shhh1

config network web-auth captive-bypass

To configure the controller to support bypass of captive portals at the network level, use the config network web-auth captive-bypass command.

config network web-auth captive-bypass { enable | disable}

Syntax Description

enable

Allows the controller to support bypass of captive portals.

disable

Disallows the controller to support bypass of captive portals.

Command Default

None

Examples

The following example shows how to configure the controller to support bypass of captive portals:


(Cisco Controller) > config network web-auth captive-bypass enable

config network web-auth port

To configure an additional port to be redirected for web authentication at the network level, use the config network web-auth port command.

config network web-auth port port

Syntax Description

port

Port number. The valid range is from 0 to 65535.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an additional port number 1200 to be redirected for web authentication:


(Cisco Controller) > config network web-auth port 1200

config network web-auth proxy-redirect

To configure proxy redirect support for web authentication clients, use the config network web-auth proxy-redirect command.

config network web-auth proxy-redirect { enable | disable}

Syntax Description

enable

Allows proxy redirect support for web authentication clients.

disable

Disallows proxy redirect support for web authentication clients.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable proxy redirect support for web authentication clients:


(Cisco Controller) > config network web-auth proxy-redirect enable

config network web-auth secureweb

To configure the secure web (https) authentication for clients, use the config network web-auth secureweb command.

config network web-auth secureweb { enable | disable}

Syntax Description

enable

Allows secure web (https) authentication for clients.

disable

Disallows secure web (https) authentication for clients. Enables http web authentication for clients.

Command Default

The default secure web (https) authentication for clients is enabled.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

If you configure the secure web (https) authentication for clients using the config network web-auth secureweb disable command, then you must reboot the Cisco WLC to implement the change.

Examples

The following example shows how to enable the secure web (https) authentication for clients:


(Cisco Controller) > config network web-auth secureweb enable

config network webmode

To enable or disable the web mode, use the config network webmode command.

config network webmode { enable | disable}

Syntax Description

enable

Enables the web interface.

disable

Disables the web interface.

Command Default

The default value for the web mode is enable .

Command History

Release Modification

7.6

This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the web interface mode:


(Cisco Controller) > config network webmode disable

config network web-auth

To configure the network-level web authentication options, use the config network web-auth command.

config network web-auth { port port-number} | { proxy-redirect { enable | disable}}

Syntax Description

port

Configures additional ports for web authentication redirection.

port-number

Port number (between 0 and 65535).

proxy-redirect

Configures proxy redirect support for web authentication clients.

enable

Enables proxy redirect support for web authentication clients.

Note 

Web-auth proxy redirection will be enabled for ports 80, 8080, and 3128, along with user defined port 345.

disable

Disables proxy redirect support for web authentication clients.

Command Default

The default network-level web authentication value is disabled.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Usage Guidelines

You must reset the system for the configuration to take effect.

Examples

The following example shows how to enable proxy redirect support for web authentication clients:


(Cisco Controller) > config network web-auth proxy-redirect enable

config policy

To configure a native profiling policy on the Cisco Wireless LAN Controller (WLC), use the config policy command.

config policypolicy_name { action { acl { enable | disable} acl_name | { average-data-rate | average-realtime-rate | burst-data-rate | burst-realtime-rate | qos | session-timeout | sleeping-client-timeout | vlan} { enable | disable}}} | active { add hours start _time end _time days day | delete days day} | create | delete | match { device-type { add | delete} device-type | eap-type { add | delete} { eap-fast | eap-tls | leap | peap} | role { role_name | none}}

Syntax Description

policy_name

Name of a profiling policy.

action

Configures an action for the policy.

acl

Configures an ACL for the policy

enable

Enables an action for the policy.

disable

Disables an action for the policy.

acl_name

Name of an ACL.

average-data-rate

Configures the QoS average data rate.

average-realtime-rate

Configures the QoS average real-time rate.

burst-data-rate

Configures the QoS burst data rate.

burst-realtime-rate

Configures the QoS burst real-time rate.

qos

Configures a QoS action for the policy.

session-timeout

Configures a session timeout action for the policy.

sleeping-client-timeout

Configures a sleeping client timeout for the policy.

vlan

Configures a VLAN action for the policy.

active

Configures the active hours and days for the policy.

add

Adds active hours and days.

hours

Configures active hours for the policy.

start _time

Start time for the policy.

end _time

End time for the policy.

days

Configures the day on the policy must work.

day

Day of the week, such as mon, tue, wed, thu, fri, sat, sun. You can also specify daily or weekdays for the policy to occur daily or on all weekdays.

delete

Deletes active hours and days.

create

Creates a policy.

match

Configures a match criteria for the policy.

device-type

Configures a device type match.

device-type

Device type on which the policy must be applied. You can configure up to 16 devices types for a policy.

eap-type

Configures the Extensible Authentication Protocol (EAP) type as a match criteria.

eap-fast

Configures the EAP type as EAP Flexible Authentication via Secure Tunneling (FAST).

eap-tls

Configures the EAP type as EAP Transport Layer Security (TLS).

leap

Configures the EAP type as Lightweight EAP (LEAP).

peap

Configures the EAP type as Protected EAP (PEAP).

role

Configures the user type or user group for the user.

role_name

User type or user group of the user, for example, student, employee.

You can configure only one role per policy.

none

Configures no user type or user group for the user.

Command Default

There is no native profiling policy on the Cisco WLC.

Command History

Release Modification

7.5

This command was introduced.

Usage Guidelines

The maximum number of policies that you can configure is 64.

Examples

The following example shows how to configure a role for a policy:

(Cisco Controller) > config policy student_policy role student

config radius acct

To configure settings for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct command.

config radius acct{ { add index IP addr port { ascii | hex} secret} | delete index | disable index | enable index | ipsec { authentication { hmac-md5 index | hmac-sha1 index } | disable index | enable index | encryption { 256-aes | 3des | aes | des} index | ike { auth-mode { pre-shared-key index type shared_secret_key | certificate index } | dh-group { 2048bit-group-14 | group-1 | group-2 | group-5} index | lifetime seconds index | phase1 { aggressive | main} index } } | { mac-delimiter { colon | hyphen | none | single-hyphen} } | { network index { disable | enable} } | { region { group | none | provincial} } | retransmit-timeout index seconds | realm { add | delete} index realm-string}

Syntax Description

add

Adds a RADIUS accounting server (IPv4 or IPv6).

index

RADIUS server index (1 to 17).

IP addr

RADIUS server IP address (IPv4 or IPv6).

port

RADIUS server’s UDP port number for the interface protocols.

ascii

Specifies the RADIUS server’s secret type: ascii .

hex

Specifies the RADIUS server’s secret type: hex .

secret

RADIUS server’s secret.

enable

Enables a RADIUS accounting server.

disable

Disables a RADIUS accounting server.

delete

Deletes a RADIUS accounting server.

ipsec

Enables or disables IPSec support for an accounting server.

Note 
IPSec is not supported for IPv6.

authentication

Configures IPSec Authentication.

hmac-md5

Enables IPSec HMAC-MD5 authentication.

hmac-sha1

Enables IPSec HMAC-SHA1 authentication.

disable

Disables IPSec support for an accounting server.

enable

Enables IPSec support for an accounting server.

encryption

Configures IPSec encryption.

256-aes

Enables IPSec AES-256 encryption.

3des

Enables IPSec 3DES encryption.

aes

Enables IPSec AES-128 encryption.

des

Enables IPSec DES encryption.

ike

Configures Internet Key Exchange (IKE).

auth-mode

Configures IKE authentication method.

pre-shared-key

Pre-shared key for authentication.

certificate

Certificate used for authentication.

dh-group

Configures IKE Diffie-Hellman group.

2048bit-group-14

Configures DH group 14 (2048 bits).

group-1

Configures DH group 1 (768 bits).

group-2

Configures DH group 2 (1024 bits).

group-5

Configures DH group 5 (1536 bits).

lifetime seconds

Configures IKE lifetime in seconds. The range is from 1800 to 57600 seconds and the default is 28800.

phase1

Configures IKE phase1 mode.

aggressive

Enables IKE aggressive mode.

main

Enables IKE main mode.

mac-delimiter

Configures MAC delimiter for caller station ID and calling station ID.

colon

Sets the delimiter to colon (For example: xx:xx:xx:xx:xx:xx).

hyphen

Sets the delimiter to hyphen (For example: xx-xx-xx-xx-xx-xx).

none

Disables delimiters (For example: xxxxxxxxxx).

single-hyphen

Sets the delimiters to single hyphen (For example: xxxxxx-xxxxxx).

network

Configures a default RADIUS server for network users.

group

Specifies RADIUS server type group.

none

Specifies RADIUS server type none.

provincial

Specifies RADIUS server type provincial.

retransmit-timeout

Changes the default retransmit timeout for the server.

seconds

The number of seconds between retransmissions.

realm

Specifies radius acct realm.

add

Adds radius acct realm.

delete

Deletes radius acct realm.

Command Default

When adding a RADIUS server, the port number defaults to 1813 and the state is enabled .

Usage Guidelines

IPSec is not supported for IPv6.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a priority 1 RADIUS accounting server at 10.10.10.10 using port 1813 with a login password of admin :


(Cisco Controller) > config radius acct add 1 10.10.10.10 1813 ascii admin

The following example shows how to configure a priority 1 RADIUS accounting server at 2001:9:6:40::623 using port 1813 with a login password of admin :


(Cisco Controller) > config radius acct add 1 2001:9:6:40::623 1813 ascii admin

config radius acct ipsec authentication

To configure IPsec authentication for the Cisco wireless LAN controller, use the 
config radius acct ipsec authentication command.

config radius acct ipsec authentication { hmac-md5 | hmac-sha1} index

Syntax Description

hmac-md5

Enables IPsec HMAC-MD5 authentication.

hmac-sha1

Enables IPsec HMAC-SHA1 authentication.

index

RADIUS server index.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the IPsec hmac-md5 authentication service on the RADIUS accounting server index 1:


(Cisco Controller) > config radius acct ipsec authentication hmac-md5 1

config radius acct ipsec disable

To disable IPsec support for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec disable command.

config radius acct ipsec disable index

Syntax Description

index

RADIUS server index.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to disable the IPsec support for RADIUS accounting server index 1:


(Cisco Controller) > config radius acct ipsec disable 1

config radius acct ipsec enable

To enable IPsec support for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec enable command.

config radius acct ipsec enable index

Syntax Description

index

RADIUS server index.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the IPsec support for RADIUS accounting server index 1:


(Cisco Controller) > config radius acct ipsec enable 1

config radius acct ipsec encryption

To configure IPsec encryption for an accounting server for the Cisco wireless LAN controller, use the config radius acct ipsec encryption command.

config radius acct ipsec encryption { 3des | aes | des} index

Syntax Description

256-aes

Enables IPSec AES-256 encryption.

3des

Enables IPsec 3DES encryption.

aes

Enables IPsec AES encryption.

des

Enables IPsec DES encryption.

index

RADIUS server index value of between 1 and 17.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the IPsec 3DES encryption for RADIUS server index value 3:


(Cisco Controller) > config radius acct ipsec encryption 3des 3

config radius acct ipsec ike

To configure Internet Key Exchange (IKE) for the Cisco WLC, use the 
config radius acct ipsec ike command.

config radius acct ipsec ike dh-group { group-1 | group-2 | group-5 | group-14} | 
 lifetime seconds | phase1 { aggressive | main}} index

Syntax Description

dh-group

Specifies the Dixie-Hellman (DH) group.

group-1

Configures the DH Group 1 (768 bits).

group-2

Configures the DH Group 2 (1024 bits).

group-5

Configures the DH Group 5 (1024 bits).

group-5

Configures the DH Group 14 (2048 bits).

lifetime

Configures the IKE lifetime.

seconds

IKE lifetime in seconds.

phase1

Configures the IKE phase1 node.

aggressive

Enables the aggressive mode.

main

Enables the main mode.

index

RADIUS server index.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure an IKE lifetime of 23 seconds for RADIUS server index 1:


(Cisco Controller) > config radius acct ipsec ike lifetime 23 1

config radius acct mac-delimiter

To specify the delimiter to be used in the MAC addresses that are sent to the RADIUS accounting server, use the config radius acct mac-delimiter command.

config radius acct mac-delimiter { colon | hyphen | single-hyphen | none}

Syntax Description

colon

Sets the delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).

hyphen

Sets the delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).

single-hyphen

Sets the delimiter to a single hyphen (for example, xxxxxx-xxxxxx).

none

Disables the delimiter (for example, xxxxxxxxxxxx).

Command Default

The default delimiter is a hyphen.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to set the delimiter hyphen to be used in the MAC addresses that are sent to the RADIUS accounting server for the network users:


(Cisco Controller) > config radius acct mac-delimiter hyphen

config radius acct network

To configure a default RADIUS server for network users, use the config radius acct network command.

config radius acct network index { enable | disable}

Syntax Description

index

RADIUS server index.

enable

Enables the server as a network user’s default RADIUS server.

disable

Disables the server as a network user’s default RADIUS server.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a default RADIUS accounting server for the network users with RADIUS server index1:


(Cisco Controller) > config radius acct network 1 enable

config radius acct retransmit-timeout

To change the default transmission timeout for a RADIUS accounting server for the Cisco wireless LAN controller, use the config radius acct retransmit-timeout command.

config radius acct retransmit-timeout index timeout

Syntax Description

index

RADIUS server index.

timeout

Number of seconds (from 2 to 30) between retransmissions.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure retransmission timeout value 5 seconds between the retransmission:


(Cisco Controller) > config radius acct retransmit-timeout 5

config radius auth

To configure settings for a RADIUS authentication server for the Cisco wireless LAN controller, use the config radius auth command.

config radius auth { add index IP addr portascii/hexsecret} | | delete index | 
 disable index | enable index | framed-mtu mtu | { ipsec { authentication { hmac-md5 index | hmac-sha1 index } | disable index | enable index | encryption { 256-aes | 3des | aes | des} index | ike { auth-mode { pre-shared-key index ascii/hex shared_secret | certificate index } | dh-group { 2048bit-group-14 | group-1 | group-2 | group-5} index | lifetime seconds index | phase1 { aggressive | main} index } } | { { keywrap{ add ascii/hex kek mack index } | delete index | 
 disable | enable} } | { mac-delimiter { colon | hyphen | none | single-hyphen} } | { { management index { enable | disable} } | { mgmt-retransmit-timeout index Retransmit Timeout } | { network index { enable | disable} } | { realm { add | delete} radius-index realm-string} } | { region { group | none | provincial} } | { retransmit-timeout index Retransmit Timeout} | { rfc3576 { enable | disable} index }

Syntax Description

enable

Enables a RADIUS authentication server.

disable

Disables a RADIUS authentication server.

delete

Deletes a RADIUS authentication server.

index

RADIUS server index. The controller begins the search with 1. The server index range is from 1 to 17.

add

Adds a RADIUS authentication server. See the “Defaults” section.

IP addr

IP address (IPv4 or IPv6) of the RADIUS server.

port

RADIUS server’s UDP port number for the interface protocols.

ascii/hex

Specifies RADIUS server’s secret type: ascii or hex .

secret

RADIUS server’s secret.

callStationIdType

Configures Called Station Id information sent in RADIUS authentication messages.

framed-mtu

Configures the Framed-MTU for all the RADIUS servers. The framed-mtu range is from 64 to 1300 bytes.

ipsec

Enables or disables IPSEC support for an authentication server.

Note 
IPSec is not supported for IPv6.

keywrap

Configures RADIUS keywrap.

ascii/hex

Specifies the input format of the keywrap keys.

kek

Enters the 16-byte key-encryption-key.

mack

Enters the 20-byte message-authenticator-code-key.

mac-delimiter

Configures MAC delimiter for caller station ID and calling station ID.

management

Configures a RADIUS Server for management users.

mgmt-retransmit-timeout

Changes the default management login retransmission timeout for the server.

network

Configures a default RADIUS server for network users.

realm

Configures radius auth realm.

region

Configures RADIUS region property.

retransmit-timeout

Changes the default network login retransmission timeout for the server.

rfc3576

Enables or disables RFC-3576 support for an authentication server.

Command Default

When adding a RADIUS server, the port number defaults to 1812 and the state is enabled .

Usage Guidelines

IPSec is not supported for IPv6.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a priority 3 RADIUS authentication server at 10.10.10.10 using port 1812 with a login password of admin :


(Cisco Controller) > config radius auth add 3 10.10.10.10 1812 ascii admin

The following example shows how to configure a priority 3 RADIUS authentication server at 2001:9:6:40::623 using port 1812 with a login password of admin :


(Cisco Controller) > config radius auth add 3 2001:9:6:40::623 1812 ascii admin

config radius auth callStationIdType

To configure the RADIUS authentication server, use the config radius auth callStationIdType command.

config radius auth callStationIdType { | ap-group-name | ap-label-address | ap-label-address-ssid| ap-location | ap-macaddr-only | ap-macaddr-ssid | ap-name | ap-name-ssid | flex-group-name | ipaddr | macaddr| vlan-id}

Syntax Description

ipaddr

Configures the Call Station ID type to use the IP address (only Layer 3).

macaddr

Configures the Call Station ID type to use the system’s MAC address (Layers 2 and 3).

ap-macaddr-only

Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3).

ap-macaddr-ssid

Configures the Call Station ID type to use the access point’s MAC address (Layers 2 and 3) in the format AP MAC address:SSID.

ap-group-name

Configures the Call Station ID type to use the AP group name. If the AP is not part of any AP group, default-group is taken as the AP group name.

flex-group-name

Configures the Call Station ID type to use the FlexConnect group name. If the FlexConnect AP is not part of any FlexConnect group, the system MAC address is taken as the Call Station ID.

ap-name

Configures the Call Station ID type to use the access point’s name.

ap-name-ssid

Configures the Call Station ID type to use the access point’s name in the format AP name:SSID

ap-location

Configures the Call Station ID type to use the access point’s location.

vlan-id

Configures the Call Station ID type to use the system’s VLAN-ID.

Command Default

The MAC address of the system.

Usage Guidelines

The controller sends the Called Station ID attribute to the RADIUS server in all authentication and accounting packets. The Called Station ID attribute can be used to classify users to different groups based on the attribute value. The command is applicable only for the Called Station and not for the Calling Station.

You cannot send only the SSID as the Called-Station-ID, you can only combine the SSID with either the access point MAC address or the access point name.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.
7.6

The ap-ethmac-only and ap-ethmac-ssid keywords were added to support the access point’s Ethernet MAC address.

The ap-label-address and ap-label-address-ssid keywords were added.

8.0 This command supports both IPv4 and IPv6 address formats.

Examples

The following example shows how to configure the call station ID type to use the IP address:


(Cisco Controller) > config radius auth callStationIdType ipAddr

The following example shows how to configure the call station ID type to use the system’s MAC address:


(Cisco Controller) > config radius auth callStationIdType macAddr 

The following example shows how to configure the call station ID type to use the access point’s MAC address:


(Cisco Controller) > config radius auth callStationIdType ap-macAddr 

config radius auth IPsec authentication

To configure IPsec support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec authentication command.

config radius auth IPsec authentication { hmac-md5 | hmac-sha1} index

Syntax Description

hmac-md5

Enables IPsec HMAC-MD5 authentication.

hmac-shal

Enables IPsec HMAC-SHA1 authentication.

index

RADIUS server index.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure the IPsec hmac-md5 support for RADIUS authentication server index 1:


(Cisco Controller) > config radius auth IPsec authentication hmac-md5 1

config radius auth ipsec disable

To disable IPsec support for an authentication server for the Cisco wireless LAN controller, use the config radius auth IPsec disable command.

config radius auth ipsec { enable | disable} index

Syntax Description

enable

Enables the IPsec support for an authentication server.

disable

Disables the IPsec support for an authentication server.

index

RADIUS server index.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

This example shows how to enable the IPsec support for RADIUS authentication server index 1:


(Cisco Controller) > config radius auth ipsec enable 1

This example shows how to disable the IPsec support for RADIUS authentication server index 1:


(Cisco Controller) > config radius auth ipsec disable 1

config radius auth ipsec encryption

To configure IPsec encryption support for an authentication server for the Cisco wireless LAN controller, use the config radius auth ipsec encryption command.

config radius auth IPsec encryption { 3des | aes | des} index

Syntax Description

3des

Enables the IPsec 3DES encryption.

aes

Enables the IPsec AES encryption.

des

Enables the IPsec DES encryption.

index

RADIUS server index.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure IPsec 3dec encryption RADIUS authentication server index 3:


(Cisco Controller) > config radius auth ipsec encryption 3des 3

config radius auth ipsec ike

To configure Internet Key Exchange (IKE) for the Cisco wireless LAN controller, use the config radius auth IPsec ike command.

config radius auth ipsec ike { auth-mode { pre-shared-keyindex { ascii | hex shared-secret} | certificate index } dh-group { 2048bit-group-14 | group-1 | group-2 | group-5} | 
 lifetime seconds | phase1 { aggressive | main}} index

Syntax Description

auth-mode

Configures the IKE authentication method.

pre-shared-key

Configures the preshared key for IKE authentication method.

index

RADIUS server index between 1 and 17.

ascii

Configures RADIUS IPsec IKE secret in an ASCII format.

hex

Configures RADIUS IPsec IKE secret in a hexadecimal format.

shared-secret

Configures the shared RADIUS IPsec secret.

certificate

Configures the certificate for IKE authentication.

dh-group

Configures the IKE Diffe-Hellman group.

2048bit-group-14

Configures the DH Group14 (2048 bits).

group-1

Configures the DH Group 1 (768 bits).

group-2

Configures the DH Group 2 (1024 bits).

group-5

Configures the DH Group 2 (1024 bits).

lifetime

Configures the IKE lifetime.

seconds

IKE lifetime in seconds. The range is from 1800 to 57600 seconds.

phase1

Configures the IKE phase1 mode.

aggressive

Enables the aggressive mode.

main

Enables the main mode.

index

RADIUS server index.

Command Default

By default, preshared key is used for IPsec sessions and IKE lifetime is 28800 seconds.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure IKE lifetime of 23 seconds for RADIUS authentication server index 1:


(Cisco Controller) > config radius auth ipsec ike lifetime 23 1

config radius auth keywrap

To enable and configure Advanced Encryption Standard (AES) key wrap, which makes the shared secret between the controller and the RADIUS server more secure, use the config radius auth keywrap command.

config radius auth keywrap { enable | disable | add { ascii | hex} kek mack | delete} index

Syntax Description

enable

Enables AES key wrap.

disable

Disables AES key wrap.

add

Configures AES key wrap attributes.

ascii

Configures key wrap in an ASCII format.

hex

Configures key wrap in a hexadecimal format.

kek

16-byte Key Encryption Key (KEK).

mack

20-byte Message Authentication Code Key (MACK).

delete

Deletes AES key wrap attributes.

index

Index of the RADIUS authentication server on which to configure the AES key wrap.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to enable the AES key wrap for a RADIUS authentication server:


(Cisco Controller) > config radius auth keywrap enable

config radius auth mac-delimiter

To specify a delimiter to be used in the MAC addresses that are sent to the RADIUS authentication server, use the config radius auth mac-delimiter command.

config radius auth mac-delimiter { colon | hyphen | single-hyphen | none}

Syntax Description

colon

Sets a delimiter to a colon (for example, xx:xx:xx:xx:xx:xx).

hyphen

Sets a delimiter to a hyphen (for example, xx-xx-xx-xx-xx-xx).

single-hyphen

Sets a delimiter to a single hyphen (for example, xxxxxx-xxxxxx).

none

Disables the delimiter (for example, xxxxxxxxxxxx).

Command Default

The default delimiter is a hyphen.

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to specify a delimiter hyphen to be used for a RADIUS authentication server:


(Cisco Controller) > config radius auth mac-delimiter hyphen

config radius auth management

To configure a default RADIUS server for management users, use the config radius auth management command.

config radius auth management index { enable | disable}

Syntax Description

index

RADIUS server index.

enable

Enables the server as a management user’s default RADIUS server.

disable

Disables the server as a management user’s default RADIUS server.

Command Default

None

Command History

Release Modification
7.6 This command was introduced in a release earlier than Release 7.6.

Examples

The following example shows how to configure a RADIUS server for management users:


(Cisco Controller) > config radius auth management 1 enable

config radius auth mgmt-retransmit-timeout