Open as PDF
Assigning Authorization Attributes 493
To change the value of an authorization attribute, reenter the command
with the new value.
To assign an authorization attribute to a user’s configuration on a
RADIUS server, see the documentation for your RADIUS server.
Default Attributes to
a Service Profile
You can configure a service profile with a set of default AAA
authorization attributes that are used when the normal AAA process or a
location policy does not provide them. These authorization attributes are
applied by default to users accessing the SSID managed by the service
Use the following command to assign an authorization attribute to a
service profile and specify its value:
set service-profile name attr attribute-name value
By default, a service profile contains no SSID default authorization
attributes. When specified, attributes in a service profile are applied in
addition to any attributes supplied for the user by the RADIUS server or
the local database. When the same attribute is specified both as an SSID
default attribute and through AAA, then the attribute supplied by the
RADIUS server or the local database takes precedence over the SSID
default attribute. If a location policy is configured, the location policy
takes precedence over both AAA and SSID default attributes. The SSID
default attributes serve as a fallback when neither the AAA process, nor a
location policy, provides them.
For example, a service profile might be configured with the service-type
attribute set to 2. If a user accessing the SSID is authenticated by a
RADIUS server, and the RADIUS server returns the vlan-name attribute
set to orange, then that user will have a total of two attributes set:
service-type and vlan-name.
If the service profile is configured with the vlan-name attribute set to
blue, and the RADIUS server returns the vlan-name attribute set to
orange, then the attribute from the RADIUS server takes precedence; the
user is placed in the orange VLAN.
You can display the attributes for each connected user and whether they
are set through AAA or through SSID defaults by entering the display
sessions network verbose command. You can display the configured
SSID defaults by entering the display service-profile command.