Creating and Managing Wireless Authorization Profiles
Authorization profiles specify the access permission for authenticated users or devices.
Use the Manage Authorization Profiles page to create new wireless Authorization profiles and manage existing wireless Authorization profiles.
This topic describes:
Managing Authorization Profiles
From the Manage Authorization Profiles page, you can:
Create a new wireless Authorization profile by clicking Add. For directions, see Creating a Wireless Authorization Profile.
Modify an existing Authorization profile by selecting it and clicking Edit.
Associate an Authorization profile to specific devices or clusters by selecting it and clicking Assign. For directions, see Assigning Wireless Authorization Profiles to Controllers.
Change the current assignment of an Authorization profile by selecting it and clicking Edit Assignment. For directions, see Assigning Wireless Authorization Profiles to Controllers.
View information about an Authorization profile, including the interfaces it is associated with, by clicking the profile name or by selecting the profile and clicking Details.
Delete an Authorization profile by selecting a profile and clicking Delete.
You cannot delete profiles that are in use—that is, assigned to objects or used by other profiles. To see the current assignments for an Authorization profile, select the Authorization profile and click Details.
Clone a profile by selecting a profile and clicking Clone.
Table 1 describes the information provided about Authorization profiles on the Manage Authorization Profiles page. This page lists all Authorization profiles defined for your network, regardless of the scope you selected in the network view.
Name given to the profile when the profile was created.
The device family on which the profile was created.
The VLAN profile associated with the Authorization profile. You specify a VLAN profile while creating an Authorization profile.
The VLAN pool associated with the Authorization profile. You can specify a VLAN pool while creating an Authorization profile.
The optional CoS profile associated with the Authorization profile.
Description of the profile that was entered when the profile was created.
Tip: To display the entire description, you might need to resize the Description column by clicking the column border in the heading and dragging it.
Displays the assignment state of the profile. A profile can be:
Date and time when the profile was created.
Last Updated Time
Date and time when the profile was last modified.
The username of the person who created or modified the profile.
All columns might not be displayed—this is configurable. To show or hide fields listed in the Manage Authorization Profiles table, click the down arrow on the field header, select Columns, and select or clear the check box adjacent to the field that you want to show or hide.
Creating a Wireless Authorization Profile
In Network Director, you can create a wireless Authorization profile with access permissions for either wireless users or devices. You can also link a VLAN profile and a CoS profile to the Authorization profile to ensure that each user session is assigned to an appropriate VLAN and it gets the required class of service (CoS).
For an Authorization profile, you must specify the following:
A profile name
An associated VLAN Profile or VLAN pool profile
To create an Authorization profile for wireless users or devices:
- Under Views, select one of these options: Logical
View, Location View, Device View or Custom Group View.
Do not select Dashboard View, Datacenter View, or Topology View.
- Click in the Network Director banner.
- In the Tasks pane, expand Wireless, expand Profiles, and then click Authorization.
The Manage Authorization Profiles page appears, displaying the list of currently configured wireless Authorization profiles.
- Click Add.
The Create Authorization Profile for Wireless page appears.
- Specify the settings as described in both the online help and in Specifying Settings for a Wireless Authorization Profile.
- Click Done to save the Authorization profile.
The system saves the Authorization profile and displays the Manage Authorization Profiles page. Your new or modified Authorization profile is listed in the table of Authorization profiles.
You will need this authorization profile to create a WLAN Service profile—for directions, see Creating and Managing a WLAN Service Profile.
Specifying Settings for a Wireless Authorization Profile
While creating an Authorization profile, you will have to specify a VLAN profile. Make sure that you have created a wireless VLAN profile before you attempt to create an Authorization profile. For directions, see Creating and Managing VLAN Profiles.
- Enter the settings described in Table 2 to create an Authorization
profile. Required settings are indicated by a red asterisk (*) that
appears next to the field label in the user interface.
Type a unique name that identifies the profile.
You can use up to 32 characters for profiles created for wireless devices. Profile name must not contain special characters or spaces. Note that profiles that are automatically created by Network Director as part of device discovery or out-of-band changes might contain the underscore (_) character.
Type a short description for the profile.
You can assign a VLAN profile or a VLAN pool profile to the selected controller. Enable either VLAN Profile or VLAN Pool. For directions, see Creating and Managing VLAN Profiles or Creating and Managing VLAN Pools.
Click the corresponding Select button and then select a VLAN profile or VLAN pool to include in the Authorization profile. When a VLAN profile or pool is applied to a port or a wireless access point, it is initiated when clients are connected and are authorized on the VLAN.
Click Select and then select an optional CoS profile to include in the Authorization profile.
CoS profiles enable the grouping of class of service parameters and the application of it to one or more network sessions. You can configure policers, classifiers, scheduler maps, rewrite rules and a traffic-control profile within a CoS Profile. For directions, see Creating and Managing Wired CoS Profiles.
Select an mDNS Profile from the list for Apple TV, Internet printer, or Digital Auto Access Protocol (iTunes). mDNS Profiles are created by following the directions in Creating and Managing mDNS Profiles. For more information, see Understanding Bonjour.
Filters are computer programs that process and sort a data stream. For more information, see Understanding Filter Profiles.
Click Select and then select a Filter profile to filter traffic that enters the controller from users through an access port, from a wired authentication port, or from the network through a network port. For directions, see Creating and Managing Wired Filter Profiles.
Click Select and then select a Filter profile to filter traffic sent from the controller to users through an access port, from a wired authentication port, or from the network through a network port. For directions, see Creating and Managing Wired Filter Profiles.
Restrict the number of concurrent sessions that a user can have on the network by selecting the number of concurrent sessions for users of this Authorization profile.
Select the type of access that you want the users of the Authorization profile to have:
2 (Framed)—Select to grant network user access.
6 (Administrative)—Select to grant administrative access to the controller with authorization to access enabled (configuration) mode. The user must enter the enable command and the correct enable password to access enabled mode.
7 (NAS-Prompt)—Select to grant administrative access to non-enabled mode only. In this mode, a user cannot enter the enable command nor the enable password to access the enabled mode.
To configure advanced settings, click Advanced Settings. To skip changing the default advanced settings and save the profile, click Done.
- Enter the advanced settings described in Table 3 to modify the default
advanced settings for the Authorization profile.
User Idle Timeout
(default is 3600 seconds)
Specify the length of time that a user or device can remain idle before the controller disconnects the user or device.
(default is 180 seconds)
Specify the length of time a user or device can remain connected to the network before re-authenticating the session.
Select the action to be taken when the session expires:
0 (Disconnect)—Select to indicate that the session is to be terminated.
1 (Re-authenticate)—Select to indicate that the user or device must reauthenticate when the session expires.
Uniform Resource Locator (URL)
Specify the URL that the user is to be redirected after successful authentication.
Use the following format: http://www.example.com
Accounting Interim Interval
Select Enable Updates to enable accounting updates for the Authorization profile.
Tip: Accounting updates are applicable only if you have enabled accounting and selected START-STOP as the record type in the corresponding Authentication profile.
Update Interval: If updates are enabled. you can modify the time in seconds between accounting updates.
Specify a value from 180 (default) through 3600 seconds.
Note: If both a RADIUS server and a controller supply a value for the Accounting Interim Interval, then the value from the controller takes precedence.
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. For more information, see Understanding Wireless Encryption and Ciphers .
Select the type of encryption supported for clients that use this Authorization profile. You can select a combination of encryption types. Clients who attempt to use an unauthorized encryption method are rejected. Network Director supports the following encryption types:
AES-CCMP—AES-CCMP (Advanced Encryption Standard using Counter with CBC-MAC) is the standard encryption protocol for use with the WPA2 standard and is much more secure than the TKIP protocol.
TKIP—TKIP (Temporal Key Integrity Protocol) is a security protocol used in the IEEE 802.11 wireless networking standard. It uses the same underlying mechanism as the original WEP encryption, and consequently is vulnerable to the same attacks that WEP is vulnerable to.
None—No encryption is used.
Start and End Dates for Authorization
Select the date and 24-hour time from which users of this authorization profile are authorized to access the network.
Select the last date and 24-hour time that users of this authorization profile are authorized to access the network.
Time of Day Settings
Time of Day
Indicate the time of day the user is permitted to log in to the network. The default is Any and the other options are Never and Day.
- Click OK to save the advanced settings and close the Advanced Settings window.
- Click Done to save the authorization profile and add it to the Manage Authorization Profiles list.
What To Do Next
After you have created an Authorization profile, you can:
Associate it with a WLAN profile. For directions, see Creating and Managing a WLAN Service Profile.
Assign it to one or more controllers. For directions, see Assigning Wireless Authorization Profiles to Controllers.