Network Access Server Identifier

This chapter explains how to configure and apply NAS-ID attributes for wireless RADIUS authentication using GUI and CLI, map AAA policies to tags or WLANs, and verify NAS-ID settings for accurate policy selection.

Network Access Server Identifier (NAS-ID)

A network access server identifier (NAS-ID) is a RADIUS attribute that

  • identifies the source device, WLAN profile, VLAN interface, or AP group initiating a RADIUS access request

  • enables the RADIUS server to apply appropriate authentication and policy selection, and

  • supports customized policy enforcement based on user groups or device types.

The NAS-ID is sent to the RADIUS server by the controller through an authentication request to classify users to different groups. This enables the RADIUS server to send a customized authentication response.

Starting with Cisco IOS XE Cupertino 17.7.1, a new string named custom-string (custom string) is available.


Note

The acct-session-id is sent with the RADIUS access request only if accounting is enabled on the policy profile.

If you configure a NAS-ID for an AP group, it overrides the NAS-ID that is configured for a WLAN profile or the VLAN interface. Similarly, if you configure a NAS-ID for a WLAN profile, it overrides the NAS-ID that is configured for the VLAN interface.

These options can be configured for a NAS ID:

  • sys-name (System Name)

  • sys-ip (System IP Address) and sys-mac (System MAC Address)

  • ap-ip (AP's IP address) and ap-name (AP's Name)

  • ap-mac (AP's MAC Address)

  • ap-eth-mac (AP's Ethernet MAC Address)

  • ap-policy-tag (AP's policy tag name)

  • ap-site-tag (AP's site tag name)

  • ssid (SSID Name) and ap-location (AP's Location)

  • custom-string (custom string)

Create a NAS ID policy (GUI)

Configure a NAS ID policy that defines how network access server identifiers are applied within your wireless AAA policy using the GUI.
Creating a NAS ID policy ensures correct identification and handling of wireless authentication requests. This is typically performed when setting up or modifying wireless AAA policies.

Procedure

Step 1

Choose Configuration > Security > Wireless AAA Policy.

Step 2

On the Wireless AAA Policy page, click the name of the Policy or click Add to create a new one.

Step 3

In the Add/Edit Wireless AAA Policy window that is displayed, enter the name of the policy in the Policy Name field.

Step 4

Select from one of the NAS ID options from the Option 1 drop-down list.

Step 5

Select from one of the NAS ID options from the Option 2 drop-down list.

Step 6

Select from one of the NAS ID options from the Option 3 drop-down list.

Step 7

Save the configuration.

Create a NAS ID policy (CLI)

Create and configure a NAS ID policy for wireless RADIUS authentication and accounting using commands.

Follow the procedure given below to create NAS ID policy:

Before you begin

  • A NAS ID can combine up to a maximum of three options.

  • The maximum length of the NAS ID attribute is 253. Before adding a new attribute, the system checks the attribute buffer. If there is not enough space, the system ignores the new attribute.

  • By default, a wireless aaa policy (default-aaa-policy) is created with the default configuration (sys-name). You can update this policy with various NAS ID options. However, the default-aaa-policy cannot be deleted.

  • If you do not configure a NAS ID, the system uses the default sys-name as the NAS ID for all wireless-specific RADIUS packets (authentication and accounting) from the controller .

  • Starting with Cisco IOS XE Cupertino 17.7.1, you can configure a custom NAS ID string using combinations of option1, option2, and option3 ( nas-id option3custom-stringcustom-string ) for RADIUS packets.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a new AAA policy.

Example:

Device(config)# wireless aaa policy policy-name

Step 3

Configure NAS ID for option1.

Example:

Device(config-aaa-policy)# nas-id option1 sys-name

Step 4

Configure NAS ID for option2.

Example:

Device(config-aaa-policy)# nas-id option2 sys-ip

Step 5

Configure NAS ID for option3.

Example:

Device(config-aaa-policy)# nas-id option3 sys-mac

Attach a policy to a tag (GUI)

Map a policy to a tag for consistent network device configuration using the GUI.
Attach a predefined policy to a tag to apply specific settings or profiles across selected devices.

Before you begin

Procedure

Step 1

Choose Configuration > Tags & Profiles > Policy.

Step 2

Click Add and enter a name for the new policy, for example, test1, in the General tab.

Step 3

Click the Advanced tab, and under AAA Policy, from the Policy Name drop-down list, select the policy name that you had created in the General tab.

Step 4

Click Apply to Device.

Step 5

Choose Configuration > Tags & Profiles > Tags > Policy.

Step 6

Click Add to view the Add Policy Tag window.

Step 7

Enter a name and description for the policy tag.

Step 8

Click Add to map WLAN profile and policy profile.

Step 9

Choose the WLAN Profile to map with the appropriate Policy Profile, and click the tick icon. Click Save & Apply to Device.

Attach a policy to a tag (CLI)

Configure and attach a NAS ID policy to a wireless policy tag using commands.

Follow the procedure given below to attach a NAS ID policy to a tag:

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a WLAN policy profile.

Example:

Device(config)# wireless profile policy policy-name

Step 3

Configure a AAA policy profile.

Example:

Device(config-wireless-policy)# aaa-policy aaa-policy-name

Step 4

Return to the global configuration mode.

Example:

Device(config-wireless-policy)# exit

Step 5

Configure a wireless policy tag.

Example:

Device(config)# wireless tag policy policy-tag

Step 6

Map a WLAN profile to a policy profile.

Example:

Device(config)# wlan wlan1 policy policy-name

Note

 

You can also use the ap-tag option to configure a NAS ID for an AP group. This NAS ID overrides the NAS ID configured for a WLAN profile or VLAN interface.

Verify the NAS ID configuration

Use this show command to verify the NAS ID configuration: 

Device# show wireless profile policy detailed test1 

Policy Profile Name           : test1
Description                   :
Status                        : ENABLED
VLAN                          : 1
Client count                  : 0

:
:
AAA Policy Params
  AAA Override                : DISABLED
  NAC                         : DISABLED
  AAA Policy name             : test