The Extreme-Dynamic-Client-Assignments Vendor Specific Attribute (VSA) is a RADIUS VSA for dynamic VLAN and Private VLAN (PVLAN) creation. You can also configure VLAN parameters, such as VLAN name, I-SID to VLAN association, and I-SID name.
You configure these features through the Extreme-Dynamic-Config RADIUS VSA before you use the VSA Extreme-Dynamic-Client-Assignments.
RADIUS Change of Authorization (CoA) is supported also. With CoA, a RADIUS server can remove a client device from a network and force it to re-authenticate.
create
. Only the options used to define the existing functionality
of mapping clients to VLAN on regular ports or vlan:isid on flex-uni ports are
used—Primary VLAN (PV), Virtual Network Identifier (VNI), and Egress VLAN (EV).
The Secondary VLAN (SV), VLAN Name (VN), and VNIN attributes for dynamic VLAN
are ignored.create=vlan
. The
Multiple Spanning Tree Protocol (MSTP) instance is 0. When platform VLAN is
dynamically created, all VLAN parameters are also dynamically applied; a static
VLAN setting is not allowed. Dynamic platform VLANs and dynamic I-SIDs names
will exist as long as EAP clients reference them. If clients do not use them,
then they are deleted and are not saved in the configuration file. create=pvlan
option. The EAP and Private VLANs on regular ports are not supported. But they
are supported on flex-uni ports. The MSTP instance is 0. When you dynamically
create a private VLAN, all VLAN parameters are also dynamically created; this is
no static setting allowed. Dynamic PVLANs and dynamic I-SIDs names will exist as
long as EAP clients reference them. If clients do not use them, then they are
deleted and are not saved in the configuration file. create=vlan|pvlan,pv=Primary VLANID, sv=secondary VLANID, vni=ISID,
ev=EGRESS-VLAN-tag, vn=vlan-name, vnin=isid-name
.Note
If ev is missing, it will default to0
. You can also
use U
or T
(case-sensitive). When
ev
is set to
U
, it is
untagged or 0
. When
ev
is set to
T
, it takes the
value of pv
or
tagged. If pv
is not
specified, then an error occurs and the VSA is ignored.Option | Note |
---|---|
create=vlan |
pvlan
|
If create is missing, the assumption is that a manually
created VLAN exists.Note the following two examples:
This option is ignored on DVR Leafs. |
pv=Primary VLANID
|
The platform VLAN that the client is assigned. This option is valid
for any combination of the |
sv=Secondary
VLANID |
This option is only valid for a private VLAN and if the create
option is also used. |
vni=ISID
|
If you did not use create then
you can use vni on flex-uni ports with ev to assign
a client to a Switched UNI (S-UNI).The |
ev=EGRESS-VLAN-tag
|
Use this option on regular ports to tag or untag the egress for the
PV. Use this option on flex-uni ports as |
vn=Vlan name
|
Valid only if you use create . |
vnin=ISID name
|
Valid only if you use create . |
Port Type | RADIUS Attribute | Extreme-Dynamic-Client-Assignments Radius VSA | Comment |
---|---|---|---|
Regular port. |
Tunnel Private GroupID. |
Without
|
This adds the port to the primary VLAN; tag is the port tag. |
|
Without
|
Untagged: Tagged: This adds the port to the primary VLAN; The VLAN egress tag is
dictated by the |
|
|
Not Supported. |
- | |
Flex-Uni ports. |
|
Without create .
|
Untagged: Tagged: A S-UNI is created, either MAC-based or regular, depending on
MHMV/MHSA setting; uses |
|
Supported by the same combination for FA VLAN:ISID. |
- |
|
|
Without create .
|
Untagged: Tagged: A S-UNI is created, either MAC-based or regular, depending on
MHMV/MHSA setting; uses auto configured |
|
|
Not supported. |
- | |
|
Not supported. |
- |
The dynamic VLAN is deleted after you disconnect all of the clients across the Extensible Authentication Protocol (EAP) ports. The port is removed when the last client is disconnected and the saved I-SID name is restored.
You cannot delete a static VLAN if EAP ports are assigned to it. But the VLAN can be deleted if you have added EAP FlexUNI ports to it. When you do this action, all MAC addresses are flushed, and any Non-EAP (NEAP) sessions are deleted. The MAC address is re-learned in I-SID and a new RADIUS authentication can now create a dynamic VLAN. For EAP sessions, the session goes to the re-authentication state, and the new RADIUS authentication can create a dynamic VLAN.
In Multiple Host Multiple VLAN (MHMV), all VSAs received from RADIUS are deleted and not processed, except for the last one.