11.25. WiFi Command Reference

This command enters the radius-server configuration context under router or VPRN service.

This command either specifies an external RADIUS server in the corresponding routing instance or enters configuration context of an existing server. The configured server could be referenced in the radius-server-policy.

The no form of the command removes the parameters from the server configuration.

This command configures this server for Change of Authorization messages. The system will process the CoA request from the external server if configured with this command; otherwise the CoA request is dropped.

The no form of the command disables the command.

This command specifies the UDP listening port for RADIUS accounting requests.

The no form of the commands resets the UDP port to its default value (1813)

This command specifies the UDP listening port for RADIUS authentication requests.

The no form of the commands resets the UDP port to its default value (1812)

This command specifies radius-script-policy for CoA-Request sent from this RADIUS server.

The no form of the command removes the policy name from the configuration.

This command specifies the per-server maximum number of outstanding requests sent to the RADIUS server. If the maximum number is exceeded, the next RADIUS server in the pool is selected.

The no form of the command removes the limit value from the configuration.

This command context to configure RADIUS proxy parameters.

This command creates a RADIUS-proxy server in the corresponding routing instance. The proxy server can be configured for the purpose of proxying authentication or accounting or both.

If a WLAN-GW ISA group is specified, then the RADIUS proxy server is instantiated on the set of ISAs in the specified wlan-gw group. The RADIUS messages from the AP are load-balanced to these ISAs. The ISA that processes the RADIUS message then hashes this message to the ISA that anchors the UE. The hash is based on UE MAC address (required to be present in the calling-station-id attribute) in the RADIUS message.

If the create parameter is not specified, then this command enters configuration context of the specified RADIUS-proxy server.

The no form of the command removes the server-name and parameters from the radius-proxy configuration.

This command enables the context for selecting the RADIUS policy for authentication and accounting based on the RADIUS attribute. This feature is supported for both the ESM RADIUS proxy and the ISA RADIUS proxy.

This command matches the specified prefix or suffix string with the selected accounting server policy or authentication server policy.

This command specifies the RADIUS VSA type for the entries to be matched with.

This command enters the cache configuration context under radius-proxy server. The cache contains per-subscriber authentication information learned from RADIUS authentication messages, and is used to authorize subsequent DHCP requests.

This command specifies the default radius-server-policy for RADIUS accounting. This policy is used when there is no specific match based on username.

The no form of the command removes the policy name from the configuration.

This command specifies the default radius-server-policy for RADIUS authentication. This policy is used when there is no specific match based on username.

The no form of the command removes the policy name from the configuration.

This command configures the IP interface the RADIUS-proxy server will bind to. One RADIUS-proxy server could bind to multiple interfaces.

This command specifies the key used in calculating a hash to select an external RADIUS server from the pool of configured servers.

The key can be the source IP and source UDP port tuple, or the specified RADIUS attribute in RADIUS packets.

The no form of the command removes the parameters from the configuration.

This command specifies the Python policy used to change the RADIUS attributes of the different RADIUS messages.

The no form of the command removes the name from the configuration.

This command configures the shared secret key. The RADIUS client must have the same key to communicate with the RADIUS-proxy server.

The no form of the command removes the parameters from the configuration.

This command results in the system to always generate RADIUS accounting-response to acknowledge RADIUS accounting-request received from the RADIUS client.

The no form of the command disables the command.

This command specifies the RADIUS cache key that is used to match the information in subsequent DHCP requests for authorization.

This command configures the time for which the cache entry is kept if there is no corresponding DHCP DISCOVER. At the expiry of this time, the cache entry is deleted.

The no form of the command reverts to the default value.

This command specifies the type of RADIUS accounting packets from RADIUS client (a WIFI AP) that the router should track.

The no form of the command removes the parameters from the configuration.

This command specifies if RADIUS authentication (from the AP) should be tracked in order to update the ESM host with the RADIUS client (for example, WIFI AP) on UE mobility. It also specifies the authentication packet from RADIUS client (for example, a WIFI AP) that the router should track for mobility.

The no form of this command stops tracking authentication for UE mobility.

This command specifies the delete hold-time in case the DHCP host gets a trigger to delete from the matched RADIUS Proxy server.

The no form of the command reverts to the default.

This command enables the context to configure a local user database.

The no form of the command removes the local user database name from the configuration.

This command configures DHCP host parameters.

This command enables the context to configure DHCP host parameters.

This command enables the context to configure match-radius-proxy-cache parameters.

This command specifies the router’s action when failed to find matched radius-proxy-server cache entry.

The no form of the command reverts to the default.

This command specifies the format of MAC address used for matching incoming DHCP DISCOVER against the RADIUS proxy cache.

The no form of the command reverts to the default.

This command specifies the field/option of DHCP packet that is used to match against the radius-proxy-server cache.

The no form of the command reverts to the default.

This command specifies the name of radius-proxy-server and optionally id of the service that the radius-proxy-server resides in.

The no form of the command removes the parameters from the configuration.

This command creates a WLAN GW group that contains a set of ISAs to be used in WLAN-GW functionality. A WLAN-GW group can also be used where a NAT group is expected. The WLAN-GW group ID shares the same number space with the NAT group.

At most, one WLAN-GW group may be configured.

The optional redundancy parameter determines the provisioning and redundancy mode.

The no form of this command removes the group.

This command specifies the number of WLAN-GW IOMs used as active IOMs from the total number of configured WLAN-GW IOMs. If there are more configured IOM than active-iom-limit, then the remaining number of IOMs is designated as backup(s).

The no form of the command removes the number from the configuration.

This command specifies how many ISAs may be in active use by the WLAN-GW group at the same time. If the maximum number of active ISAs is reached and more ISAs are added to the group, the new ISAs are considered to be in standby mode.

The no form of this command removes the limit on the maximum number of active ISAs.

This command configures the WLAN gateway distributed subscriber management.

This command configures an ISA application assurance group for WLAN gateway DSM subscribers.

This command designates the specified IOM as a WLAN-GW IOM. Each WLAN-GW IOM must be provisioned with two ISA-BB modules on a hardware chassis and with an ISA-BB module in the first MDA slot in the VSR.

The no form of the command removes the IOM from the configuration.

This command enables an ISA for WLAN-GW functionality.

The no form of this command removes the ISA from the WLAN-GW configuration.

This command enables the context to configure NAT parameters under wlan-gw-group.

This command configures the RADIUS accounting policy to use for each MDA in this ISA group.

The no form of the command removes the accounting policy from the configuration.

This command configures the ISA NAT group session limits.

This command configures the number of sessions per block that is reserved for prioritized sessions.

The no form of the command reverts to the default.

This command configures the ISA NAT group watermarks.

The no form of the command reverts to the default.

This command suppresses the generation of Large Scale NAT (LSN) events when RADIUS accounting is enabled.

By default, only one logging facility for tracking subscribers in LSN44, DS-lite, and NAT64 can be enabled at the time, either the SR OS event logging facility or the RADIUS logging facility. Note that SR OS event logs can be sent to multiple destinations, such as the console session, a telnet or SSH session, memory logs, file destinations, SNMP trap groups, and syslog destinations.

If RADIUS logging is enabled, the NAT logs are sent to the RADIUS destination and the NAT logs are suppressed in the SR OS event logging facility, for example, NAT logs are not sent to the syslog server.

If RADIUS logging is disabled, the NAT logs are sent to the SR OS event logging facility, for example, syslog, assuming that the events are enabled via the SR OS event-control (config> log>event-control nat event generate).

The no form of the command, the NAT logs can be sent to both logging facilities simultaneously, the SR OS event logging facility and RADIUS logging facility.

This command suppresses the tmnxNatLsnSubBlksFree summary notification and use the tmnxNatPlBlockAllocationLsn notifications. When the SR OS node is in a state of excessive logging, the queue associated with the transmission of logs on the MS-ISA can become congested. This event further delays the generation of logs, and with this, further allocations and deallocations of NAT resources (port-blocks) is stalled until the queue is relieved of congestion. For example, an excessive logging state in the system can be caused by issuing a command to clear a large number of NAT subscribers where a large number of resources (port-blocks) are released at once.

The suppress-lsn-sub-blks-free command enables the generation of individual logs carried in event-id 2012 for every released port block regardless of the state of the transmission queue (whether congested or not). If NAT subscribers have a large number of allocated port blocks (this could be hundreds of port blocks per subscriber), generating individual logs per port-block release contributes to the congestion.

To alleviate transmission queue congestion, this behavior can be changed by disabling this command (no suppress-lsn-sub-blks-free). This causes the suppression of logs related to the release of individual port blocks of a NAT subscriber when the transmission queue is congested. As a result, only a summarized release log via event-id 2021 for the subscriber is generated. The purpose of this new log is to inform the operator in a single message that all ports blocks for the subscriber are released. For example, the log message for LSN is “LSN subscriber all blocks freed”. The benefit of such summarization (or log aggregation) is to alleviate the congestion of the transmission queue and consequently accelerate resource releases. An effect is the decreased granularity of information.

If summarization is enabled (no suppress-lsn-sub-blks-free) while there is no logging congestion in the system, the port block releases continue to be logged individually via the event-id 2012 (assuming that this is enabled in the event control), except for the last port block of the subscriber. When the last port block is released, the log with event-id 2021 is generated indicating that all port blocks for the subscriber are now released without carrying the specific information about this last port block that is released.

This command enables the context to configure ISA watermark notifications.

This command enables a watermark notification. If the watermark is set, it generates a notification when the corresponding resource consumption goes above the high percentage. No additional notifications are sent until resource consumption goes under the low watermark, upon which, a notification is sent indicating the high watermark is no longer hit.

The no form of the command disables the watermark notification.

This command either creates a new port-policy with create parameter or enters the configuration context of an existing port-policy.

The no form of the command removes the port policy name from the configuration.

This command specifies the port-scheduler-policy to use in the egress direction for the internal port connecting the WLAN-GW IOM to the MS-ISA.

The no form of the command removes the policy from the configuration.

This command creates a group interface. This interface is designed for triple-play services where multiple SAPs are part of the same subnet. A group interface may contain one or more SAPs.

The no form of the command removes the group interface from the subscriber interface.

This command enables the context to configure wlan-gw parameters.

This command enables the context to configure vlan-to-retail-map parameters to map dot1Q tags to retail-service-id. The WIFI AP could insert a dot1Q tag in the Layer 2 frame within the GRE tunnel to indicate the retail service provider for the subscriber.

This command creates or enters the context of specified VLAN range for configuration applicable to that range of VLANs.

This command enables initial authentication (when there is no state for the UE on the ISA), to be triggered by DHCP DISCOVER or REQUEST. The default behavior s authentication based on first Layer 3 packet.

The no form of the command reverts to the default.

This command enables the context to create configuration for authenticating a user from the WLAN-GW ISA.

This command specifies authentication policy configured under aaa context for authenticating users on WLAN-GW ISA.

The no form of the command removes the policy-name from the configuration.

This command configures the minimum time that a user is held down after a failed authentication attempt.

The no form of the command reverts to the default.

This command configures the timeout value for the RADIUS proxy cache if a packet is received with a non-matching VLAN tag. The new timeout value is the lesser of the vlan-mismatch-timeout value and the currently remaining proxy cache timeout value.

The no form of the command disables the timeout behavior. The cache timeout value will remain unchanged.

This command enables the context to configure distributed-sub-mgmt configuration per vlan-range. This also includes vlan-range default, which makes this configuration applicable to the wlan-gw group-interface.

This command specifies the isa-radius-policy used for accounting messages originated from the ISAs in the wlan-gw group. The policy can specify up to five accounting servers and configuration-specific to these accounting servers. It also specifies configuration specific to RADIUS client on ISAs and RADIUS attributes to be included in accounting messages.

This command enables the interim accounting and specifies the interim accounting interval.

This command enables Application Assurance account statistics collection.

This command configures the default application profile.

This command configures an IP filter that is distributed on ISA cards.

This command specifies the IP filter applied to all UEs corresponding to default vlan-range (such as a group-interface) or the specified vlan-range. The IP filter can be created in the config>subscr-mgmt>isa-filter context, and can contain up to 1024 match entries. The IP filter can be overridden per UE from RADIUS via access-accept or COA.

The no form of the command reverts to the default.

This command specifies the egress policer applied to all UEs corresponding to default vlan-range (such as, group-interface) or the specified vlan-range. The policer can be created in the config>subscr-mgmt>isa-policer context. The egress policer can be overridden per UE from RADIUS via access-accept or COA.

The no form of the command reverts to the default.

.This command specifies the ingress policer applied to all UEs corresponding to default vlan-range (such as group-interface) or the specified vlan-range. The policer can be created in the config>subscr-mgmt>isa-policer context. The ingress policer can be overridden per UE from RADIUS via access-accept or COA.

The no form of the command reverts to the default.

This command enables one-time http-redirect to specified redirect URL for traffic matching the specified destination port.

The no form of the command reverts to the default.

This command specifies the id of default retail service if there is no match found in VLAN to retail map configuration (specified by the vlan command). For DSM and migrant, this command is only applicable for non-NAT stacks.

This command creates a mapping from a range of VLANs (appearing in the wlan-gw encapsulated Layer 2 frame) to a retail service ID.

The no form of the command removes the parameters from the configuration.

This command specifies the ID of the wlan-gw-group that the wlan-gw gateway binds to.

The no form of the command removes the value from the wlan-gw configuration.

This command specifies the maximum size of frames on this group-interface. Packets larger than this will get fragmented.

The no form of the command removes this functionality.

This command enables the context to configure parameters that can be applied to automatically-generated internal SAPs.

This command configures the anti-spoof type of the SAP.

The type of anti-spoof filtering defines what information in the incoming packet is used to generate the criteria to lookup an entry in the anti-spoof filter table. The type parameter (ip-mac or nh-mac) defines the anti-spoof filter type enforced by the SAP when anti-spoof filtering is enabled.

The no form of the command reverts to the default.

This command enables the context to configure subscriber management parameters.

The no form of the command removes the parameters from the configuration.

This command configures the default application profile.

The no form of the command removes the profile name from the configuration.

This command specifies a default SLA profile for this SAP. The SLA profile must be defined prior to associating the profile with a SAP in the config>subscr-mgmt>sla-profile context.

An SLA profile is a named group of QoS parameters used to define per service QoS for all subscriber hosts common to the same subscriber within a provider service offering. A single SLA profile may define the QoS parameters for multiple subscriber hosts. SLA profiles are maintained in two locations, the subscriber identification policy and the subscriber profile templates. After a subscriber host is associated with an SLA profile name, either the subscriber identification policy used to identify the subscriber or the subscriber profile associated with the subscriber host must contain an SLA profile with that name. If both the subscriber identification policy and the subscriber profile contain the SLA profile name, the SLA profile in the subscriber profile is used.

The no form of the command removes the default SLA profile from the SAP configuration.

This command configures the default subscriber ID. The default is used if no other source (like RADIUS) provides a subscriber identification string.

This command specifies a default subscriber profile. The subscriber profile must be defined prior to associating the profile with a SAP in the config>subscr-mgmt>sub-profile context.

A subscriber profile defines the aggregate QoS for all hosts within a subscriber context. This is done through the definition of the egress and ingress scheduler policies that govern the aggregate SLA for subscriber using the subscriber profile. Subscriber profiles also allow for specific SLA profile definitions when the default definitions from the subscriber identification policy must be overridden.

The no form of the command removes the default SLA profile from the configuration.

This command associates a subscriber identification policy. The subscriber identification policy must be defined in the config>subscr-mgmt>sub-ident-policy context.

Subscribers are managed by the system through the use of subscriber identification strings. A subscriber identification string uniquely identifies a subscriber. For static hosts, the subscriber identification string is explicitly defined with each static subscriber host.

For dynamic hosts, the subscriber identification string must be derived from the DHCP ACK message sent to the subscriber host. The default value for the string is the content of Option 82 CIRCUIT-ID and REMOTE-ID fields interpreted as an octet string. As an option, the DHCP ACK message may be processed by a subscriber identification policy which has the capability to parse the message into an alternative ASCII or octet string value.

When multiple hosts on the same port are associated with the same subscriber identification string they are considered to be host members of the same subscriber.

The no form of the command removes the default subscriber identification policy from the configuration.

This command enables the context to configure egress QoS parameters for wlan-gw tunnels.

This command defines the enforced aggregate rate for all queues associated with the agg-rate context. A rate must be specified for the agg-rate context to be considered to be active on the context’s object (SAP, subscriber, Vport, and so on).

The no form of the command reverts to the default.

This command controls an HQoS aggregate rate limit. It is used in conjunction with the following parameter commands: rate, limit-unused-bandwidth, and queue-frame-based-accounting.

The no form of the command removes the rate from the configuration.

This command configures the time for which egress shaping resources associated with a wlan-gw tunnel are held after the last subscriber on a tunnel is deleted.

This command configures the identifier of the egress QoS policy associated with each wlan-gw tunnel of this interface.

The no form of the command removes the policy ID from the configuration.

This command configures the identifier of the egress scheduler policy associated with each wlan-gw tunnel of this interface.

The no form of the command removes the scheduler policy name from the configuration.

This command enables the egress shaping is only enabled for a wlan-gw tunnel while there are multiple UE (User Equipment) using it.

The no form of the command disables the egress shaping.

This command configures the granularity of the egress shaping for wlan-gw on this group interface.

The no form of the command removes the parameter from the configuration.

This command specifies gateway endpoint address for the wlan-gw tunnel.

The no form of the command removes the value from the wlan-gw configuration.

This command specifies a gateway IPv6 endpoint address for the wlan-gw tunnel.

The no form of the command removes the IPv6 the gateway IPv6 endpoint address for the wlan-gw tunnel.

This command enables the sending of ARP or ND packets on the wlan-gw GRE tunnel upon certain events. The target IP address in the ARP/ND packet is the endpoint IP address of the AP. The ARP/ND response from the AP should contain the AP MAC, which subsequently can be reported in called-station-id. When enabled this is sent for following events:

This configuration is ignored for l2-ap and l2tpv3 access.

This command enables the context to configure Layer 2 Access Points in WLAN Gateway Group-Interfaces.

This command adds a specific SAP where Layer-2 WLAN-GW aggregation is performed. The following SAPs are supported.

This command can be repeated multiple times to create multiple Layer-2 access points.

The no form of the command removes the Layer-2 access point. This is only allowed if the l2-ap SAP is shutdown.

If different from default, this command overrides the value specified by l2-ap-encap-type on wlan-gw level. See the description of l2-ap-encap-type for more detail. This value can only be changed while the l2-ap is shutdown.

The no form of the command sets the default value.

This command specifies which SAP parameter template should be applied to the l2-ap SAP. This can only be changed when the l2-ap is shutdown.

The no form of the command removes the template, the SAP will use default parameters.

This command administratively enables this SAP to begin accepting Layer 2 packets for WIFI offloading.

The no form of the command disables this SAP.

This command configures the contents of the auto-generated subscriber ID when the ipoe-sub-id-key command is set to include sap-id and the def-sub-id command is configured with use-auto-id. The VLANs must be configured so that the subscriber ID length is not exceeded.

This command can include either the SAP or the SAP + AP delimiting tags.

The no form of the command reverts to the default configuration.

This parameter specifies the number of AP identifying VLAN tags for an AP. This is the default value that can be overridden per SAP. This value should at least be equal to the number of VLANs configured in the SAP or enabling a SAP will fail.

A SAP VLAN is explicitly configured, for example l2-ap 1/1/1:25. Other VLANs on the same port can still be used in other contexts.

The number of VLAN tags Epiped to WLAN-GW IOM equal the l2-ap-encap-type minus the encaps of the SAP. Upon receipt of a packet these VLANs is stored as a Layer 2 tunnel identifier, and are only used in context of WLAN-GW.

The no form of the command sets the default value.

This command enables the context to configure mobility parameters.

This command configures the minimum time that a User Equipment is held associated with its current Access Point (AP) before being associated with a new AP.

The hold time is used to prevent overwhelming the system with mobility triggers, by limiting the rate at which a UE can move from one AP to another while the system is very busy already.

This command enables mobility within different VLANs of the same range. When enabled, mobility between different VLANs in a single vlan-range is allowed for the configured mobility triggers.

The no form of this command disables mobility between VLANs.

This command specifies the type of packet used as a mobility trigger.

The no form of the command removes the parameters from the configuration and disables data-plane mobility.

This command enables terminating multiple types of tunnels.

The no form of the command disables terminating multiple types of tunnels.

no multi-tunnel-type

This command operationally brings down the WLAN-GW group if the total number of operational WLAN-GW IOMs in the WLAN-GW group fall below the configured number of active WLAN-GW IOMs. This triggers withdrawal of the route to tunnel endpoint and subscriber subnets in routing.

This command specifies the routing instance that wlan-gw gateway endpoint resides in.

The no form of the command removes the value from the wlan-gw configuration.

This command configures the TCP Maximum Segment Size (MSS) adjustment for the wlan-gw gateway.

The no form of the command disables adjusting tcp-mss values.

For DSM, this only applies to packets sent in the downstream direction (TCP SYN towards UE). For the upstream direction, it is also required to configure MSS adjust under the applicable NAT-policy.

This command enables the context to configure tunnel encapsulation parameters.

This command specifies when this system will learn the cookie from L2TP tunnels terminating on this interface. Learning the cookie means that the value of the octets 3-8 of the cookie is interpreted as an access point’s MAC address, and used as such, for example in the Called-Station-Id attribute of RADIUS Interim-Update messages.

This command configures the retailer service.

This command configures IPv6 router advertisements for this group-interface.