RADIUS port and VLAN based attributes automate switch configuration using port and VLAN based attributes received from the RADIUS Server.
Extreme-Dynamic-Config Vendor Specific Attribute (VSA) dynamically configures the following features:
VLAN Based Features
IGMP Snooping
DHCP Snooping
Dynamic ARP Inspection (DAI)
Port Based Features
IP Source Guard (IPSG)
Simple Loop Prevention Protocol (SLPP) Guard
Bridge Protocol Data Unit (BPDU) Guard
Traffic Control (Wake on LAN - WoL)
Custom Auto-Negotiation Advertisements
In an SPB environment, settings for VLAN based features are enabled on the platform VLANs associated with the I-SID received from the RADIUS server. If the I-SID received from the RADIUS server does not have a platform VLAN associated with it, settings are not applied. When a platform VLAN is then associated with the I-SID, EAP reauthentication is generated to apply the settings by bouncing a port, bouncing EAP on a port, or by using CoA Reauthenticate.
When a platform VLAN is removed from the I-SID, all applied dynamic settings for the VLAN are also removed.
When port is configured in Multiple Host Single Authentication (MHSA) mode and VLAN based attributes are received from the RADIUS server, features enable on all VLANs containing the authentication port. If Flex-UNI is enabled on a port, features enable on all platform VLANs containing the authentication port.
When port is configured in Multiple Host Multiple VLAN (MHMV) mode and VLAN based attributes are received from the RADIUS server, features enable on the default VLAN and on all VLANs containing the authentication port. If Flex-UNI is enabled on a port, features enable on any untagged I-SIDs and on all platform VLANs associated with the I-SID received from the RADIUS server.
Consider the following when you use port and VLAN based attributes:
Configuring Custom Auto-Negotiation Advertisements on a port triggers a port bounce, which generates new client authentication.
DHCP Snooping Option 82 is not supported.
IGMP is not supported on DVR Leaf.
Change-of-Authorization (CoA) functionality is not supported; Disconnect and Reauthenticate options are supported.
Only settings that can be configured manually can be configured dynamically using EAP.
IP Source Guard restrictions apply even if the feature is configured on the RADIUS server.
Maximum 10 entries per port
Maximum 1000 entries per server
DHCP Snooping and DAI must be enabled on all VLAN members of the RADIUS configured port.
If multiple client authentication is permitted in MHMV mode, RADIUS settings can be applied incrementally as subsequent clients authenticate.
If a client authenticates with DHCP Snooping, DAI, and IP Source Guard attributes on the VLAN and a second client attempts to authenticate with the same attributes, consider the following:
If the second client uses the same VLAN as the first client, only IP Source Guard applies on the RADIUS configuration port.
If the second client uses a different VLAN, DHCP Snooping and DAI apply on the VLAN and the IP Source Guard applies on the RADIUS configuration port.
If you configure a Guest VLAN on a port and the RADIUS server returns IP Source Guard as a result of EAP or NEAP authentication, then you should manually remove static VLANs from that port. Alternatively, you can enable DHCP Snooping and DAI on static VLANs.
If you configure a port with multiple platform VLANs and the RADIUS server returns IP Source Guard as a result of EAP/NEAP authentication, then you must manually configure DHCP Snooping and DAI on static platform VLANs.
Dynamic cleanup is supported. When the last client to authenticate using a dynamic setting is removed, the following dynamic settings are also removed:
Dynamic ARP Inspection (DAI)
DHCP Snooping
IGMP Snooping
IP Source Guard
However, the following settings can only be removed by disabling EAP:
SLPP Guard
BPDU Guard
Traffic Control (Wake on LAN)
Custom Auto-Negotiation Advertisements
For more information, see Extreme-Dynamic-Config.