Microsoft IAS

To use Extreme Networks VSAs with the Internet Authentication Service (IAS) in Microsoft® Windows Server™ 2003, you must first create a Remote Access Policy and apply it so that user authentication occurs using a specific authentication type such as EAP-TLS, PEAP, or PAP. The following procedure assumes that the Remote Access Policy has already been created and configured and describes how to define Extreme Networks VSAs in Microsoft IAS:

  1. Open the IAS administration GUI application.
  2. In the left window pane, select the Remote Access Policies section of the tree.
  3. In the right window pane, double-click the desired Remote-Access policy name so you can edit it.
  4. Click the Edit-Profile button in the lower-left corner, and then select the Advanced tab.
  5. If any attributes already appear in the Parameters window, remove them by selecting the attribute and clicking the Remove button.
  6. When the Parameters window is empty, proceed to the next step.
  7. Click the Add button, which brings up the Add Attributes dialog window.
  8. Scroll down the displayed list of RADIUS (Remote Authentication Dial In User Service) attributes and select the attribute named Vendor-Specific.
  9. Double-click the Vendor-Specific attribute or click the Add button.

    The Multivalued Attribute Information dialog box should appear.

  10. Click the Add button, which brings up the Vendor-Specific Attribute Information dialog window.
    1. Select the first radio button for Enter Vendor Code and enter the Extreme Networks vendor code value of 1916 in the text-box.
    2. Select the second radio button for Yes, It conforms.
    3. Verify both settings, and click the Configure Attribute button to proceed.

      The Configure VSA (RFC compliant) dialog window should now appear.

      The settings for this dialog window varies, depending on which product and attribute you wish to use in your network.

    4. In the first text-box enter the Extreme Networks VSA number for the attribute you want to configure (see Extreme Networks VSAs).
    5. Use the pull-down menu to select the Attribute format, which is the same as the attribute Type listed in Extreme Networks VSAs.
      Note

      Note

      For values of format integer you will have to select the type Decimal from the pull-down menu.
    6. Configure the desired value for the attribute.
    7. Once the desired values have been entered, click OK.
  11. Click OK two more times to return to the Add Attributes dialog window.
  12. Select Close, and then click OK twice to complete the editing of the Remote Access Policy profile.
  13. To apply the configuration changes, stop and restart the Microsoft IAS service.

    After restarting the IAS service, new authentications should correctly return the Extreme Networks VSA after successful authentication. Users who were previously authenticated have to re-authenticate to before the new VSAs apply to them.

  14. If you experience problems with the newly configured VSAs, use the following troubleshooting guidelines:
    1. If you have multiple IAS Remote Access Policies, verify that the user is being authenticated with the correct policy.
    2. Check the IAS System Log events within Microsoft Event Viewer to verify the user is authenticated through the policy where VSA settings are configured.
    3. Check whether the VSA configuration performed above is correct.

      A mismatch in any of the VSA settings could cause authentication or VSA failure.

    4. Verify that attributes such as "VLAN (Virtual LAN) tag" or "VLAN name" correctly match the configuration of your ExtremeXOS switch and overall network topology.

      Invalid, or incorrect values returned in the VSA could prevent authenticated users from accessing network resources.