Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Narrowed parameter tables


All other characters are used without interpreting them in any way. For examples, see default values.



called-format (format-string)

Format for the value of the Called-Station-Id RADIUS attribute, in AP's messages to RADIUS servers. Default:II-II-II-II-II-II:S

calling-format (format-string)Format for the value of the Calling-Station-Id RADIUS attribute, in AP's messages to RADIUS servers. Default: AA-AA-AA-AA-AA-AA
interim-update (time interval)Interval at which to send interim updates about traffic accounting to the RADIUS server. Default: 5m
mac-caching (time interval | 'disabled')

Length of time to cache RADIUS server replies, when MAC address authentication is enabled.
This resolves issues with client device authentication timing out due to (comparatively high latency of RADIUS server replies.

Default value: disabled.

name (string)A unique name for the AAA profile. No default value.
nas-identifier (string) Value of the NAS-Identifier attribute, in AP's messages to RADIUS servers. Defaults to the host name of the device (/system/identity).
password-format (format-string)

Format for value to use in calculating the value of the User-Password attribute in AP's messages to RADIUS servers when performing MAC address authentication.

Default value: "" (an empty string).

username-format (format-string)

Format for the value of the User-Name attribute in APs messages to RADIUS servers when performing MAC address authentication.

Default value : AA:AA:AA:AA:AA:AA

Channel properties

Properties in this category specify the desired radio channel.



Take care when writing access list rules which reject clients. After being repeatedly rejected by an AP, a client device may start avoiding it.

Filtering parameters
allow-signal-out-of-range (time period)

Modifies the signal-range parameter to still match established connections for a given length of time, even if their signal is outside the specified range.

Default: 0s.

interface (interface|interface-list|'any')Match if connection takes place on the specified interface or interface belonging to specified list. Default: any.
mac-address (MAC address)Match if the client device has the specified MAC address. No default value.
mac-address-mask (MAC address)

Modifies the mac-address parameter to match if it is equal to the result of performing bit-wise AND operation on the client MAC address and the given address mask.

Default: FF:FF:FF:FF:FF:FF (i.e. client's MAC address must match value of mac-address exactly)

signal-range (min..max)Match if the strength of received signal from the client device is within the given range. Default: '-120..120'
ssid-regexp (regex)Match if the given regular expression matches the SSID.
time (start-end,days)Match during the specified time of day and (optionally) days of week. Default: 0s-1d

Action parameters
action (accept|reject|query-radius)

Whether to authorize a connection

  • accept - new connections are accepted, established connections are maintained
  • reject - new connections are rejected, established connections are interrupted
  • query-radius - new connections are accepted if MAC address authentication of the client's MAC address succeeds
passphrase (string)Override the default passphrase with given value. No default value.
radius-accounting (no|yes)Override the default RADIUS accounting policy with given value. No default value.

MAC address authentication