Create a new auth server profile by unique name

post

https://de1.api.central.arubanetworks.com/network-config/v1alpha1/auth-servers/{name}

Auth Server profile.

Recent Requests

Time	Status	User Agent
Retrieving recent requests…

Loading…

Path Params

name

string

required

length ≤ 9999

The name of the Auth Server.

Query Params

object-type

string

LOCAL - To create local objects. SHARED - To create shared objects. Default - Defaults to SHARED if not provided

scope-id

string

Scope at which local object needs to be created. Mandatory if object-type = LOCAL. Should not be provided for object-type = SHARED.

device-function

string

Device function for which the local object needs to be created. Mandatory if object_type = LOCAL. Should not be provided for object_type = SHARED.

Body Params

auth-serverbody object

called-station-id

object

Configure this parameter to be sent with the RADIUS attribute Called Station ID for authentication and accounting requests. For AP, this API is applicable for
WLAN profile and AP port profile. For GW, this API is applicable for the authentication server profile. This feature is applicable for AP and GW.

acct-modifier

string

length between 1 and 80

Attributes modifier for accounting-request.
this field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA

acct-port

int32

0 to 65535

Defaults to 1813

Port number for accounting requests.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

admin-dn

string

length between 1 and 256

DN for the admin user who has read or search privileges across all of the entries in the LDAP database (the user does not need
write privileges but should be able to search the database and read attributes of other users in the database).
This field can be configured only when type is LDAP.

admin-password

string

length ≤ 9999

Password for the admin user.
this field can be configured only when type is LDAP.

allow-cleartext

boolean

Defaults to false

Allow unencrypted communication with LDAP server.
this field can be configured only when type is LDAP.

auth-modifier

string

length between 1 and 80

Attributes modifier for authentication-request.
this field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

auth-port

int32

0 to 65535

Port number for authentication requests.For CX, default auth-port for RADIUS Servers is 1812 and TACACS Servers is 49.
For CX and PVOS, this parameter cannot be modified.

auth-server-address

length ≤ 9999

IP address or FQDN of the Auth server. For CX and PVOS, auth-server-address is a mandatory parameter and can not be modified.

auth-throttle

boolean

Defaults to true

AP measures request-response times for each packet exchange. As the time taken approaches the timeout, AP throttles new transactions.

authentication-type

string

enum

Specifies authentication protocol which is used for communication with Auth servers.
If not specified, the global timeout value will be picked. This field can be configured only when type is TACACS OR RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

Show Details

CHAP	Use CHAP (non-standard) to authenticate user.
MSCHAPv2	Use MSCHAPv2 to authenticate user.
PAP	Use PAP to authenticate user.

Allowed:

base-dn

string

length between 1 and 256

DN name of the node which contains the entire user database to use.
this field can be configured only when type is LDAP.

chase-referrals

boolean

Defaults to false

LDAP Chase Referrals.
this field can be configured only when type is LDAP.

clearpass

boolean

Defaults to false

Host RADIUS server on ClearPass.

cppm-password-config

object

Group for CPPM password of the user

cppm-user-name

string

length between 1 and 64

User name of the ClearPass server to authenticate.
For CX, supported length is 2-64.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

deadtime

int32

1 to 1440

Defaults to 5

Configures a dead time interval for the authentication server. When two or more authentication servers are configured on the Instant AP and
a server is unavailable, the dead time configuratidetermines the duration for which the authentication server would be available if the server
is marked as unavailable. the default value is 5min. time range is 1-1440.

default-authenticated-role

string

length between 1 and 63

Assign default role for users after XML server
authorization.

description

string

length between 1 and 256

User description for Auth Server.

domain

string

length between 1 and 256

Windows domain name.
this field can be configured only when type is WINDOWS.

drp

object

Configure dynamic RADIUS proxy.

dynamic-authorization-enable

boolean

Defaults to false

Enable Dynamic Authorization.

dynamic-authorization-port

int32

0 to 65535

Configures the port number for sending AirGroup CoA, instead of the standard CoA port. The default value is 5999.

enable

boolean

Defaults to false

Enable Auth Server.

enable-ipv6

boolean

Defaults to false

Enable ipv6.

enable-radsec

boolean

Defaults to false

Enables RadSec for RADIUS data transport over TCP and TLS
This field can be configured only when type is RADIUS.
For CX and PVOS, this parameter cannot be modified.

event-timestamp-required

boolean

Defaults to false

Discard DAC request, if Event-Timestamp is not present
in DAC(Dynamic Authorization Client) request. This field can be configured only when type is RADIUS with radius-server-mode configured as COA_ONLY or AUTH_AND_COA.

filter

string

length between 1 and 256

Filter that should be applied to search of the user in the LDAP database.
this field can be configured only when type is LDAP

ipsec-ah

object

RADIUS server IPsec authentication parameters

ipsec-esp

object

RADIUS server IPsec authentication parameters

key-attribute

string

length between 1 and 256

The attribute that should be used as a key in search
for the LDAP server. This field can be configured only when type is LDAP

lower-case-mac-address

boolean

Defaults to false

Lower case MAC address.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

mac-address-delimiter

string

enum

MAC address delimiter.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

Show Details

COLON	XX:XX:XX:XX:XX:XX
COMMA	XX,XX,XX,XX,XX,XX
DASH	XX-XX-XX-XX-XX-XX
NONE	XXXXXXXXXXXX
OUI_NIC	XXXXXX-XXXXXX
PERCENT	XX%XX%XX%XX%XX%XX
SLASH	XX/XX/XX/XX/XX/XX

Allowed:

management-interface

boolean

Defaults to false

Out of Band management interface for the Auth server.

max-connection

int32

1 to 16

Defaults to 4

Maximum number of simultaneous non-admin connections to a LDAP server.
this field can be configured only when type is LDAP

max-retransmit-attempts

int32

0 to 255

Maximum number of retries sent to the server by the manager device(AP, GW and SW_CX) before the server is marked as down.
For AP, the default value is 3.
For CX, range is 0-5. If not specified, the global retry value will be picked.

msg-auth-required

boolean

Defaults to false

Enforcement of RADIUS message authenticator. if AP receives Access-Request/Access-Reject/Access-Challenge/CoA-Request/Disconnect-Request without message-authenticator present, the packet will be discarded.
For AP, this configuration is supported from 10.7.1.0.
this field can be configured only when type is RADIUS

name

string

length between 1 and 63

The name of the Auth Server.

nas-identifier

string

length between 1 and 253

NAS identifier to use in RADIUS packets.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

nas-ip-address

length ≤ 9999

The NAS IP address to be sent in RADIUS packets from that server.

port-access-keepalive

string

enum

Method to keep RadSec port-access tunnel active. Default value is status-server.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA and enable-radsec is set to true.

Show Details

STATUS_SERVER	Status-server messages are used for keeping RadSec port-access tunnel active
TCP_KEEPALIVE	TCP keep alive messages are used for keeping RadSec port-access tunnel active

Allowed:

preferred-conn-type

string

enum

Preferred Connection Type.
this field can be configured only when type is LDAP.

Show Details

CLEAR_TEXT	set preferred connection type as Clear-Text
LDAP_S	set preferred connection type as LDAP-S
START_TLS	set preferred connection type as START-TLS

Allowed:

radius-server-mode

string

enum

Defaults to AUTH_ONLY

Specifies the mode in which the RADIUS server is used.

AUTH_ONLY: Server is used only for authentication.
COA_ONLY: Server is used only for Change of Authorization (CoA).
AUTH_AND_COA: Server is used for both authentication and CoA.

Show Details

AUTH_AND_COA	RADIUS server is used for both authentication and CoA.
AUTH_ONLY	RADIUS server is used only for authentication.
COA_ONLY	RADIUS server is used only for Change of Authorization (CoA).

Allowed:

radsec-client-cert

string

length ≤ 9999

RADIUS Security Client Certificate Name.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA

radsec-est-cert-profile

string

length between 1 and 63

RADIUS Security Server Certificate Name.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

radsec-keepalive

string

enum

Defaults to TCP_KEEPALIVE

If there is no radius activity for more than 15 minutes, with status-server keepalive, CPPM doesn't terminate connection every 15 minutes, with tcp-keepalive , CPPM terminates the RADSEC connection after 15 minutes

Show Details

STATUS_SERVER	Status-server messages are used for keeping RadSec port-access tunnel active
TCP_KEEPALIVE	TCP keep alive messages are used for keeping RadSec port-access tunnel active

Allowed:

radsec-port

int32

0 to 65535

Defaults to 2083

Designates a RadSec port for RADIUS data transport
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA and enable-radsec is set to true.
For CX and PVOS, this parameter cannot be modified.

radsec-trusted-cacert-name

string

length ≤ 9999

RADIUS Security Trusted CA Cert Name.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA

radsec-trusted-servercert-name

string

length ≤ 9999

RADIUS Security Server Certificate Name.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

replay-protection

boolean

Defaults to false

Replay protection for DAC(Dynamic Authorization Client) requests
this field can be configured only when type is RADIUS and radius-server-mode is equal to COA_ONLY or AUTH_AND_COA.

rfc5176-enforcement-mode

string

enum

Defaults to STRICT

Enforcement mode of RFC5176.

Show Details

LOOSE	RFC enforcement is loose
STRICT	RFC enforcement is strict

Allowed:

rfc5997

string

enum

Defaults to NONE

When enabled, this parameter allows the Instant AP to send a status-server request to determine the actual status of the authentication or accounting server. This proves useful when there is a authentication or request time
rfc5997—RFC5997 support enabled for both authentication and accounting on the authentication server.
auth-only—RFC5997 support enabled for authentication only.
acct-only—RFC5997 support enabled for accounting only
no rfc5997—Disables RFC5997 support for the authentication server.

Show Details

ACCT_ONLY	Query Status of Acct RADIUS Servers.
AUTH_ONLY	Query Status of Auth RADIUS Servers.
NONE	Query Status of auth and accounting RADIUS Servers.

Allowed:

service-type

string

enum

Defaults to STANDARD

Change Service Type default value to framed.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA

Show Details

FRAMED	Change Service-Type default value to framed for 802.1x, CP and MAC auth.
STANDARD	Follow RFC, the default Service-Type for 802.1x is framed, for CP is Login, for mac is Call-Back.

Allowed:

session-authorization

boolean

Defaults to false

Enable TACACS+ authorization.
this field can be configured only when type is TACACS.

shared-secret-config

object

Group for auth-server shared key.

source-address

length ≤ 9999

Source IP address to use in messages to the Auth server

source-interface

int32

1 to 4094

Source VLAN Interface to use in messages to the Auth server
This field can be configured only when type is TACACS or RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

tcp-port

int32

0 to 65535

Defaults to 49

Port number used by the server.
This field can be configured only when type is TACACS

timeout

int32

1 to 255

Maximum time, in seconds, that the manager device(AP, GW and SW_CX) waits before timing out the request and resending it.
For CX, range is 1-60. If not specified, the global timeout value will be picked.
For AP, the default value of RADIUS and LDAP is 5, TACACS is 20.
This field can be configured only when type is TACACS, LDAP, or RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA

tls-initial-connection-timeout

int32

5 to 300

TLS Initial connection timeout (timeout for TLS handshake).
For CX, if not specified, the global TLS Initial connection timeout value will be picked.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA and enable-radsec is set to true.

tracking-enable

boolean

Defaults to false

Enable server tracking.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA or TACACS

tracking-method

string

enum

Tracking method of the server. Default value for tracking method is access-request.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA and enable-radsec is set to true.

Show Details

ACCESS_REQUEST	Track the server using access-request messages
STATUS_SERVER	Track the server using status-server messages
TCP_KEEPALIVE	Track the server using TCP keep-alive messages

Allowed:

tracking-mode

string

enum

Tracking mode of the server. Default value of tracking-mode is any.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA

Show Details

ANY	Track the server irrespective of its availability.
DEAD_ONLY	Track the server only if it is not reachable.

Allowed:

type

string

enum

Auth Server Type. AP support server types are RADIUS, LDAP, TACACS and XMLAPI.
CX supports server types RADIUS and TACACS. PVOS supports RADIUS and TACACS.
Type is a mandatory parameter for CX and PVOS and can not be modified.
GW supports RADIUS, TACACS, WINDOWS and LDAP

Show Details

LDAP	LDAP Server.
LOCAL	Local Internal Server for GW.
RADIUS	RADIUS Server.
RADSEC	RadSec Server.
RFC3576	Dynamic authorization Server.
TACACS	TACACS Server.
WINDOWS	Windows Server.
XMLAPI	XML API Server.

use-ip-for-calling-station-id

boolean

Defaults to false

Use IP for Calling Station Id.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

use-md5

boolean

Defaults to false

Use MD5 hash for cleartext password.
This field can be configured only when type is RADIUS with radius-server-mode configured as AUTH_ONLY or AUTH_AND_COA.

vrf

string

length ≤ 9999

VRF for the Auth server.
For CX, this parameter cannot be modified.

window-duration

int64

0 to 65535

Defaults to 300

Time window size in seconds.

window-type

string

enum

Defaults to POSITIVE

Acceptable time window type.

Show Details

PLUS_OR_MINUS	Sets the acceptable time-window value as PLUS OR MINUS
POSITIVE	Sets the acceptable time-window value as default PLUS

Allowed:

xmlapi-server-address

length ≤ 9999

XML SERVER Address.

xmlapi-server-key

string

length ≤ 9999

XML server key.

Responses

Language

Credentials

OAuth2

URL

Loading…

Response

Click Try It! to start a request and see the response here! Or choose an example:

application/json

200Successful Operation

400Bad Request

401Unauthorized Access

403Forbidden

404Not Found

406Not Acceptable

408Request Timeout

412Precondition Failed

429Rate limit exceeded

500Internal Server Error