To add users to the WLC local user database, use the following steps: 1. From the Organizer pane, select a WLC.
2. Under AAA, select Local Users Database.
3. In the Configuration panel, you can view entries in the following categories: Users
User Groups MAC Users MAC User Groups
4. For existing entries in RingMaster, you can highlight them in the list and click Properties. 5. To add a user to the Local User Database, click Create User.
6. Enter a unique name and password for the user. If you have users with common attributes, you can add them to a User Group.
7. Configure the Password Expiration Time (Hours). The range is from 0 to 3600 hours with a default value of 0.
8. Click Next.
9. From the VLAN Name list, select a VLAN for user access.
Optional Authorization Attributes
10. You can also configure optional Authorization Attributes. This includes the following attributes:
Attribute Description Value
end-date Date and time after which the user is no longer allowed to be on the network.
Date and time, in the following format: YY/MM/DD-HH:MM
You can use end-date alone or with start-date. You also can use start-date, end-date, or both in conjunction with time-of-day
ssid SSID the user is allowed to access after authentication. Name of the SSID for the user. The SSID must be configured in a service profile, and the service profile must be used by a radio profile assigned to Trapeze radios in the Mobility Domain.
termination-action The type of action taken to terminate a client on the network.
The attribute has these options: 0 (Disconnect)
1 (Re-authentication) idle-timeout The length of time that a client can be idle on the
network before automatically disconnecting from the network.
Number between 180 and 86400 seconds with a default value of 3600, or 0 to disable periodic accounting updates. The WLC ignores the acct-interim-interval value and issues a log message if the value is below 60 seconds.
Note: If both a RADIUS server and the WLC supply a value for the acct-interim-interval attribute, then the value from the WLC takes precedence.
2 Creating Users in the Local User Database Copyright © 2011, Juniper Networks, Inc. filter-id Security access control list (ACL), to permit or deny
traffic received (input) or sent (output) by the WLC.
Name of an existing security ACL, up to 32 alphanumeric characters, with no tabs or spaces. Use acl-name.in to filter traffic that enters the WLC
from users via an MP access port or wired authentication port, or from the network via a network port.
Use acl-name.out to filter traffic sent from the WLC to users via an MP access port or wired authentication port, or from the network via a network port. . Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WLC, the user fails authorization and is unable to authenticate.
time-of-day Day(s) and time(s) during which the user is permitted to log into the network. After authorization, the user¡¯s session can last until either the Time-Of-Day range or the Session-Timeout duration (if set) expires, whichever is shorter.
Note: Time-Of-Day is a Trapeze vendor-specific attribute (VSA). The
vendor ID is 14525, and the vendor type is 4.
One of the following:
never — Access is always denied. any time — Access is always allowed.
Enter Days —Access is allowed on specific days and hours.
One or more ranges of values that consist of one of the following day designations (required), and a time range in hhmm-hhmm 4-digit 24-hour format (optional):
− mo— Monday, − tu — Tuesday, − we— Wednesday, − th— Thursday, − fr— Friday, − sa— Saturday, − su— Sunday,
− wk — Anyday between Monday and Friday Separate values or a series of ranges (except time ranges)with commas (,) or a vertical bar (|). Do not use spaces.
The maximum number of characters is 253. For example, to allow access only on Tuesdays and Thursdays between 10 a.m. and 4 p.m., specify the following: time-of-day tu1000-1600,th1000-1600 To allow access only on weekdays between 9 a.m and 5 p.m., and on Saturdays from 10 p.m. until 2 a.m., specify the following: time-of-day wk0900-1700,sa2200-0200 . Note: You can use time-of-day in conjunction with start-date, end-date, or both.
simultaneous-logins The number of times that a user can log into the network from different locations.
The range is from 1 to 1000 with a default value of 1. start-date Date and time that the user becomes eligible toaccess
the network. MSS does not authenticate the user unless the attempt to access the network occurs at or after the specified date and time, but before the end-date (if specified).
Date and time, in the following format: YY/MM/DD-HH:MM
You can use start-date alone or with end-date. You also can use start-date, end-date, or both in conjunction with time-of-day.
mobility-profile Mobility Profile attribute forthe user. (For more information, see ViewingMobility Profiles.) . Note: Mobility-Profile is aTrapeze vendor-specific attribute (VSA). The vendor ID is 14525, the vendor type is 2.
Name of an existing Mobility Profile
. Note: If the Mobility Profile feature is enabled, and a user is assigned the name of a nonexistent Mobility Profile on the WLC, the user is denied access.
Copyright © 2011, Juniper Networks, Inc. Creating Users in the Local User Database 3 acct-interim-interval Interval in seconds between accounting updates, if
accounting is enabled and the Start-Stop record type is specified.
Select Enable Updates and then a number between 180 and 3,600 seconds, or 0 to disable periodic accounting updates.
The WLC ignores the acct-interim-interval value and issues a log message if the value is below 60 seconds. Note: If both a RADIUS server and the WLC supply a value for the acct-interim-interval attribute, then the value from the WLC takes precedence.
qos-profile You can assign a user to a specific QoS profile. Select the profile from the list of configured QoS Profiles..
url URL to which the user is redirected after successful WebAAA .
Web URL, in standard format. For example: http://www.example.com
. Note: You must include the http:// portion. service-type Type of access the user is requesting. Access type, which can be one of the following:
2 — Framed; for network user access
6— Administrative; for administrative access, with authorization to access the enabled (configuration) mode. The user must enter the enable command and the correct enable password to access the enabled mode.
7— NAS-Prompt; for administrative access to the nonenabled mode only. In this mode, the user can still enter the enable command and the correct enable password to access the enabled mode.
For administrative sessions, the WLC always sends 6. A RADIUS server can reply with one of the listed values. If the service-type is not set on the RADIUS server, administrative users receive NAS-Prompt access, and network users receive Framed access.
. Note: MSS quietly accepts Callback Framed but you cannot select this access type in MSS.
user-name User name to be displayed. User name up to 80 characters and can be numbers and special characters..
4 Creating Users in the Local User Database Copyright © 2011, Juniper Networks, Inc. 11. Click Finish to complete the configuration.
Deleting an Existing User, User Group, MAC User, or MAC User Group
To delete existing users or user groups from the current configuration, select the name from the list and click Delete. The information is removed from the configuration.
encryption-type Type of encryption requiredfor access by the client.Clients who attempt to use an unauthorized encryption method are rejected.
Note: Encryption-Type is a Trapeze vendor-specific attribute (VSA). The vendor ID is 14525, and the vendor type is 3.
One of the following numbers that identifies an encryptionalgorithm:
1 AES_CCM (Advanced Encryption Standard using Counter with CBC-MAC)
4 TKIP (Temporal Key Integrity Protocol)
8 WEP_104 (the default) (Wired-Equivalent Privacy protocol using 104 bits of key strength)
16 WEP_40 (Wired-Equivalent Privacy protocol using 40 bits of key strength)
32 NONE (no encryption) 64 Static WEP
In addition to these values, you can specify a sum of them for a combination of allowed encryption types. For example, to specify WEP_104 and WEP_40, use 24. filter-id Security access control list
(ACL), to permit or deny traffic received (input) or sent (output) by the WLC. (For more information about security ACLs, see ACLs.)
Name of an existing security ACL, up to 32 alphanumeric characters, with no tabs or spaces. Use acl-name.in to filter traffic that enters the WLC from users via an WLA access port or wired authentication port, or from the network via a network port. Use acl-name.out to filter traffic sent from the WLC to users via an MP access port or wired authentication port, or from the network via a network port.
Note: If the Filter-Id value returned through the authentication and authorization process does not match the name of a committed security ACL in the WLC, the user fails authorization and is unable to authenticate.
Copyright © 2011, Juniper Networks, Inc. Creating User Groups in the Local User Database 1