Network Access Server Identifier

Information About Network Access Server Identifier

Network access server identifier (NAS-ID) is used to notify the source of a RADIUS access request, which enables the RADIUS server to choose a policy for that request. You can configure one on each WLAN profile, VLAN interface, or access point group. The NAS-ID is sent to the RADIUS server by the controller through an authentication request to classify users to different groups. This enables the RADIUS server to send a customized authentication response.


Note


The acct-session-id is sent with the RADIUS access request only when accounting is enabled on the policy profile.


If you configure a NAS-ID for an AP group, it overrides the NAS-ID that is configured for a WLAN profile or the VLAN interface. Similarly, if you configure a NAS-ID for a WLAN profile, it overrides the NAS-ID that is configured for the VLAN interface.

Starting with Cisco IOS XE Cupertino 17.7.1, a new string named custom-string (custom string) is added.

The following options can be configured for a NAS ID:

  • sys-name (System Name)

  • sys-ip (System IP Address)

  • sys-mac (System MAC Address)

  • ap-ip (AP's IP address)

  • ap-name (AP's Name)

  • ap-mac (AP's MAC Address)

  • ap-eth-mac (AP's Ethernet MAC Address)

  • ap-policy-tag (AP's policy tag name)

  • ap-site-tag (AP's site tag name)

  • ssid (SSID Name)

  • ap-location (AP's Location)

  • custom-string (custom string)

Creating a NAS ID Policy(GUI)

Procedure


Step 1

Choose Configuration > Security > Wireless AAA Policy.

Step 2

On the Wireless AAA Policy page, click the name of the Policy or click Add to create a new one.

Step 3

In the Add/Edit Wireless AAA Policy window that is displayed, enter the name of the policy in the Policy Name field.

Step 4

Choose from one of the NAS ID options from the Option 1 drop-down list.

Step 5

Choose from one of the NAS ID options from the Option 2 drop-down list.

Step 6

Choose from one of the NAS ID options from the Option 3 drop-down list.

Step 7

Save the configuration.


Creating a NAS ID Policy

Follow the procedure given below to create NAS ID policy:

Before you begin

  • NAS ID can be a combination of multiple NAS ID options; the maximum options are limited to 3.

  • The maximum length of the NAS ID attribute is 253. Before adding a new attribute, the attribute buffer is checked, and if there is no sufficient space, the new attribute is ignored.

  • By default, a wireless aaa policy (default-aaa-policy) is created with the default configuration (sys-name). You can update this policy with various NAS ID options. However, the default-aaa-policy cannot be deleted.

  • If a NAS ID is not configured, the default sys-name is considered as the NAS ID for all wireless-specific RADIUS packets (authentication and accounting) from the controller .

  • Starting with Cisco IOS XE Cupertino 17.7.1, you can configure a custom string with various combinations of option1, option2 and option3 (nas-id option3 custom-string custom-string ) as NAS ID in RADIUS packets.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless aaa policy policy-name

Example:

Device(config)# wireless aaa policy test

Configures a new AAA policy.

Step 3

nas-id option1 sys-name

Example:

Device(config-aaa-policy)# nas-id option1 sys-name 

Configures NAS ID for option1.

Step 4

nas-id option2 sys-ip

Example:

Device(config-aaa-policy)# nas-id option2 sys-ip 

Configures NAS ID for option2.

Step 5

nas-id option3 sys-mac

Example:

Device(config-aaa-policy)# nas-id option3 sys-mac 

Configures NAS ID for option3.

Attaching a Policy to a Tag (GUI)

Procedure


Step 1

Choose Configuration > Tags & Profiles > Tags page, click Policy tab.

Step 2

Click Add to view the Add Policy Tag window.

Step 3

Enter a name and description for the policy tag.

Step 4

Click Add to map WLAN profile and Policy profile.

Step 5

Choose the WLAN Profile to map with the appropriate Policy Profile, and click the tick icon.

Step 6

Click Save & Apply to Device.


Attaching a Policy to a Tag (CLI)

Follow the procedure given below to attach a NAS ID policy to a tag:

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless profile policy policy-name

Example:

Device(config)# wireless profile policy test1

Configures a WLAN policy profile.

Step 3

aaa-policy aaa-policy-name

Example:

Device(config-wireless-policy)# aaa-policy policy-aaa

Configures a AAA policy profile.

Step 4

exit

Example:

Device(config-wireless-policy)# exit

Returns to global configuration mode.

Step 5

wireless tag policy policy-tag

Example:

Device(config)# wireless tag policy policy-tag1

Configures a wireless policy tag.

Step 6

wlan wlan1 policy policy-name

Example:

Device(config)# wlan wlan1 policy test1

Maps a WLAN profile to a policy profile.

Note

 

You can also use the ap-tag option to configure a NAS ID for an AP group, which will override the NAS ID that is configured for a WLAN profile or the VLAN interface.

Verifying the NAS ID Configuration

Use the following show command to verify the NAS ID configuration:

Device# show wireless profile policy detailed test1 

Policy Profile Name           : test1
Description                   :
Status                        : ENABLED
VLAN                          : 1
Client count                  : 0

:
:
AAA Policy Params
  AAA Override                : DISABLED
  NAC                         : DISABLED
  AAA Policy name             : test