This attribute configures port and VLAN based attributes.
Name: Extreme-Dyn-Config
Value: 252
Type: String
Vendor: Extreme
Extreme Vendor ID is 1916
The following features can be configured using Extreme-Dynamic-Config RADIUS VSA.
VLAN Based Features:
DHCP Snooping
Dynamic ARP Inspection (DAI)
IGMP Snooping
Port Based Features:
Custom Auto-Negotiation Advertisements
Bridge Protocol Data Unit (BPDU) Guard
IP Source Guard (IPSG)
Reauthentication
Simple Loop Prevention Protocol (SLPP) Guard
Traffic Control (Wake on LAN - WoL)
AN-ADVERTISMENTS:100Half or AN-ADVERTISMENTS:100H settings configure Custom Auto-Negotiation Advertisements (CANA) speed and duplex to the following supported values:
10Half
100Full
100Half
100Full
1000Full
This setting enables Bridge Protocol Data Unit (BPDU) Guard on the port where the client resides.
This setting enables Dynamic ARP Inspection (DAI) on the VLAN received from the RADIUS server. For a Flex-UNI port, DAI enables on the platform VLAN associated with the I-SID received from the RADIUS server.
DAI also enables on the default VLAN of the port to prepare for IP Source Guard (IPSG), which requires DAI and DHCP Snooping enabled on all VLANs. If the RADIUS server does not return a VLAN of I-SID, DAI enables on the default VLAN. For Flex-UNI ports, DAI enables on the platform VLAN associated with the untagged I-SID.
This setting enables DHCP Snooping on the VLAN received from the RADIUS server. For a Flex-UNI port, DHCP Snooping enables on the platform VLAN associated with the I-SID received from the RADIUS server.
DHCP Snooping also enables on the default VLAN of that port to prepare for IP Source Guard (IPSG), which requires DAI and DHCP Snooping enabled on all VLANs. If the RADIUS server does not return a VLAN of I-SID, DHCP Snooping enables on the default VLAN. For Flex-UNI ports, DHCP Snooping enables for the platform VLAN associated with the untagged I-SID.
This setting enables IGMP Snooping on the VLAN received from the RADIUS server. For a Flex-UNI port, IGMP Snooping enables on the platform VLAN associated with the I-SID received from the RADIUS server.
This setting enables IP Source Guard (IPSG) on the port where the client resides.
In order to apply IPSG, DHCP Snooping and DAI must be configured on the RADIUS server. DHCP Snooping and DAI must be enabled on all VLANs.
The following is an example of a log message that displays if a setting is not configured correctly:
GlobalRouter EAP WARNING Cannot apply Radius IP Source Guard attribute on port 3/15 without DHCP Snooping and DAI attributes.This setting enables EAPOL reauthentication on a port either manually using CLI or dynamically through RADIUS. The origin identifies how reauthentication was configured either CONFIG or RADIUS.
This setting enables Simple Loop Prevention Protocol (SLPP) Guard on the port where the client resides.
This setting enables EAP traffic-control (Wake On LAN) on the port where the client resides.
Session | REAUTH status | Cause |
---|---|---|
EAP Session | Without REAUTH VSA | On MAC ageout. Note: Session timeouts
if the client is not connected.
|
With REAUTH VSA | On periodically timer and MAC ageout. | |
NEAP Session | Without REAUTH VSA | On MAC Ageout. |
With REAUTH VSA | Useful for silent devices, session stays active despite MAC
ageout. Session is removed only by manual intervention or RADIUS
reject/timeout. Note: The same command
activates both EAP and NEAP reauthentication. If
reauthentication is needed for EAP, NEAP reauthentication for
silent devices is automatically activated.
|
Command | Level | Processing | Configuration | Prerequisites |
---|---|---|---|---|
Session-timeout | per session basis. |
Changes the reauth interval for a particular session. |
none. |
Enable port level reauthentication. |
VSA (REAUTH:300 or REAUTH) | per port basis. |
Changes the port configuration. |
Enable reauthentication and configure interval. |
none. |