VSA Definitions for Web-Based, MAC-Based, and 802.1X Network Login contains the Vendor Specific Attribute (VSA) definitions that a RADIUS (Remote Authentication Dial In User Service) server can send to an Extreme switch after successful authentication.
These attributes must be configured on the RADIUS server along with the Extreme Networks Vendor ID, which is 1916.
VSA | Attribute Type | Format | Sent-in | Description |
---|---|---|---|---|
Extreme-CLI-Authorization | 201 | Integer | Access-Accept | Specifies whether command authorization is to be enabled or disabled for the user on the ExtremeXOS switch. |
Extreme-Netlogin-VLAN-Name | 203 | String | Access-Accept | Name of destination VLAN after successful authentication (must already exist on switch). |
Extreme-Netlogin-URL | 204 | String | Access-Accept | Destination web page after successful authentication. |
Extreme-Netlogin-URL-Desc | 205 | String | Access-Accept | Text description of network login URL attribute. |
Extreme-Netlogin-Only | 206 | Integer | Access-Accept | Indication of whether the user can authenticate using other means, such as telnet, console, SSH, or Vista. A value of “1” (enabled) indicates that the user can only authenticate via network login. A value of “0” (disabled) indicates that the user can also authenticate via other methods. |
Extreme-User-Location | 208 | String | ||
Extreme-Netlogin-VLAN-ID | 209 | Integer | Access-Accept | ID of destination VLAN after successful authentication (must already exist on switch). |
Extreme-Netlogin-Extended-VLAN | 211 | String | Access-Accept | Name or ID of the destination
VLAN after successful authentication (must already exist on
switch). Note: When using this attribute,
specify whether the port should be moved tagged or untagged to
the VLAN. See the guidelines listed in the section VSA 211: Extreme-Netlogin-Extended-Vlan for more
information.
|
Extreme-Security-Profile | 212 | String | Access-Accept | Specifies a universal port profile to execute on the switch. For more information, see Universal Port. |
EXTREME_VM_NAME | 213 | String | Access-Accept | Specifies the name of the VM that is being authenticated . Example: MyVM1 |
EXTREME_VM_VPP_NAME | 214 | String | Access-Accept | Specifies the VPP to which the VM is to be mapped. Example: nvpp1 |
EXTREME_VM_IP_ADDR | 215 | String | Access-Accept | Specifies the IP address of the VM . Example: 11.1.1.254 |
EXTREME_VM_CTag | 216 | Integer | Access-Accept | Specifies the ID or tag of the destination VLAN for the VM . Example: 101 |
EXTREME_VM_VR_Name | 217 | String | Access-Accept | Specifies the VR in which the destination VLAN is to be placed. Example : UserVR1 |
The examples in the following sections are formatted for use in the FreeRADIUS users file. If you use another RADIUS server, the format might be different.
Note
For information on how to use and configure your RADIUS server, refer to the documentation that came with your RADIUS server.
For untagged VLAN movement with 802.1X netlogin, you can use all current Extreme Networks VLAN VSAs: VSA 203, VSA 209, and VSA 211.
This attribute specifies whether command authorization is to be enabled or disabled for the user on the ExtremeXOS switch.
If command authorization is disabled, the user has full access to all CLI commands. If command authorization is enabled, each command the user enters is accepted or rejected based on the contents of the profiles file on the RADIUS server.
When added to the RADIUS users file, the following example enables command authorization for the associated user:
When added to the RADIUS users file, the following example disables command authorization for the associated user:
Extreme: Extreme-CLI-Authorization = disabled
This attribute specifies a destination VLAN name that the RADIUS server sends to the switch after successful authentication.
The VLAN must already exist on the switch. When the switch receives the VSA, it adds the authenticated user to the VLAN.
If none of the previously described attributes are present ISP mode is assumed, and the client remains in the configured VLAN.
When added to the RADIUS users file, the following example specifies the destination VLAN name, purple, for the associated user:
Extreme: Extreme-Netlogin-VLAN-Name = purple
The Extreme-NetLogin-Url attribute specifies a web page URL that the RADIUS server sends to the switch after successful authentication. When the switch receives the attribute in response to a web-based network login, the switch redirects the web client to display the specified web page. If a login method other than web-based is used, the switch ignores this attribute.
The following example specifies the redirection URL to use after successful authentication.
To configure the redirect URL as http://www.myhomepage.com, add the following line:
Extreme: Netlogin-URL = http://www.myhomepage.com
The Extreme-NetLogin-Url-Desc attribute provides a redirection description that the RADIUS server sends to the switch after successful authentication. When the switch receives this attribute in response to a web-based network login, the switch temporarily displays the redirect message while the web client is redirected to the web page specified by attribute 204. If a login method other than web-based is used, the switch ignores this attribute.
The following example specifies a redirect description to send to the switch after successful authentication:
Extreme: Netlogin-URL-Desc = "Authentication successful. Stand by for the home page."
The Extreme-Netlogin-Only attribute can be used to allow normal authentication or restrict authentication to only the network login method.
When this attribute is assigned to a user and authentication is successful, the RADIUS server sends the configured value back to the switch. The configured value is either disabled or enabled.
The Extreme switch uses the value received from the RADIUS server to determine if the authentication is valid. If the configured value is disabled, all normal authentication processes are supported (Telnet and SSH, for example), so the switch accepts the authentication. If the configured value is enabled, the switch verifies whether network login was used for authentication. If network login was used for authentication, the switch accepts the authentication. If an authentication method other than network login was used, the switch rejects the authentication.
Add the following line to the RADIUS server users file for users who are not restricted to network login authentication:
Extreme:Extreme-Netlogin-Only = Disabled
Add the following line to the RADIUS server users file for users who are restricted to network login authentication:
Extreme:Extreme-Netlogin-Only = Enabled
To reduce the quantity of information sent to the switch, the RADIUS server sends either a 1 for the enabled configuration or a 0 for the disabled configuration.
These values must be configured in the RADIUS dictionary file as shown in Configuring the Dictionary File.
This attribute specifies a destination VLAN ID (or VLAN tag) that the RADIUS server sends to the switch after successful authentication.
The VLAN must already exist on the switch. When the switch receives the VSA, it adds the authenticated user to the VLAN.
If none of the previously described attributes are present ISP mode is assumed, and the client remains in the configured VLAN.
When added to the RADIUS users file, the following example specifies the destination VLAN ID, 234, for the associated user:
Extreme:Extreme-Netlogin-VLAN-ID = 234
This attribute specifies one or more destination VLANs that the RADIUS server sends to the switch after successful authentication.
You can specify VLANS by VLAN name or ID (tag). The VLANs may either already exist on the switch or, if you have enabled dynamic VLANs and a non-existent VLAN tag is given, the VLAN is created.
In cases where the client is already authenticated, if a single VLAN move fails from a list of VLANs in the VSA and the move-fail-action is authenticate, then it is left as-is. If the client is not already authenticated (first time authentication), then it is authenticated on learnedOnVlan if possible. If move-fail-action is deny then the client is unauthenticated from all the VLANs where it is currently authenticated. There is no partial success.
Note
If there is one or more invalid VLAN in the VSA, the supplicant is not authenticated on any one of them.For example, if the VSA is Uvoice;Tdata and the VLAN data does not have a tag or the VLAN does not exist, then the port movement fails. Even if a single VLAN in the list is invalid the entire list is discarded and the action taken is based on move-fail-action configuration.
When added to the RADIUS users file, the following examples specify VLANs for the switch to assign after authentication:
Extreme-Netlogin-Extended-VLAN = Tvoice (Tagged VLAN named voice) Extreme-Netlogin-Extended-VLAN = Udata (Untagged VLAN named data) Extreme-Netlogin-Extended-VLAN = *orange (VLAN named orange, tagging dependent on incoming traffic) Extreme-Netlogin-Extended-VLAN = T229 (Tagged VLAN with ID 229) Extreme-Netlogin-Extended-VLAN = U4091 (Untagged VLAN with ID 4091) Extreme-Netlogin-Extended-VLAN = *145 (VLAN with ID 145, tagging dependent on incoming traffic) in FreeRADIUS, a tagged VLAN voice and a tagged VLAN mktg would be configured as the following: Extreme-Netlogin-Extended-VLAN = "Tvoice;Tmktg;"
An untagged VLAN data and a tagged VLAN mktg is configured as the following:
Extreme-Netlogin-Extended-VLAN = "Udata;Tmktg;"
A tagged VLAN with VLAN ID 229 and a tagged VLAN with VLAN ID 227 is configured in FreeRADIUS as the following:
Extreme-Netlogin-Extended-VLAN = "T229;T227;"
An untagged VLAN with VLAN ID 4091 and a tagged VLAN with VLAN ID 2001 is configured as the following:
Extreme-Netlogin-Extended-VLAN = "U4091;T2001;"
This attribute specifies a profile name that the RADIUS server sends to the switch after successful authentication. The switch uses this profile name to run a special type of script called a profile. The profile is stored on the switch and can be used to modify the switch configuration in response to authentication. Profiles are created using the Universal Port feature, which is described in Universal Port.
When added to the RADIUS users file, the following example provides to the switch the profile name p1, variable QOS=QP8, and variable LOGOFF-PROFILE=P2:
EXTREME-SECURITY-PROFILE= "p1 QOS=\"QP8\";LOGOFF-PROFILE=P2;"
This VSA is used in context with the Extreme Network Virtualization (XNV) feature, especially with the NMS authentication of VMs. Use this VSA to specify the name of the VM that is being authenticated. An example would be: MyVM1
This VSA is used in context with the XNV feature, especially with the NMS authentication of VMs. Use this VSA to specify the VPP to which the VM is to be mapped. An example would be: nvpp1
This VSA is used in context with the XNV feature, especially with the NMS authentication of VMs. Use this VSA to specify the IP address of the VM. An example would be: 11.1.1.254
This VSA corresponds to XNV with Dynamic VLANs. Use this VSA to specify the ID or tag of the destination VLAN for the VM. An example would be: 101
This VSA corresponds to XNV with Dynamic VLANs. Use this VSA to specify the VR in which the destination VLAN is to be placed. An example would be: UserVR1