The ExtremeXOS software uses standard RADIUS (Remote Authentication Dial In User Service) attributes to send information in an Access-Request message to a RADIUS server.
The software also accepts some standard RADIUS attributes in the Access-Accept message that the RADIUS server sends to the switch after successful authentication. The switch ignores attributes that it is not programmed to use.
Standard RADIUS Attributes Used by Network Login lists the standard RADIUS attributes used by the ExtremeXOS software.
Attribute | RFC | Attribute Type | Format | Sent-in | Description |
---|---|---|---|---|---|
User-Name | RFC 2138 | 1 | String | Access-Request | Specifies a user name for authentication. |
Calling-Station-ID | RFC 2865 | 31 | String | Access-Request | Identifies the phone number for the supplicant requesting authentication. |
EAP-Message | RFC 3579 | 79 | String | Access-Request, Access-Challenge, Access-Accept, and Access Reject | Encapsulates EAP packets. |
Login-IP-Host | RFC 2138 | 14 | Address | Access-Request and Access-Accept | Specifies a host to log into after successful authentication. |
Message-Authenticator | RFC 3579 | 80 | String | Access-Request, Access-Challenge, Access-Accept, and Access Reject | Contains a hash of the entire message that is used to authenticate the message. |
NAS-Port-Type | RFC 2865 | 61 | Integer | Access-Request | Identifies the port type for the port through which authentication is requested. |
Service-Type | RFC 2138 | 6 | String | Access-Accept | Specifies the granted service type in an Access-Accept message. See Attribute 6: Service Type below. |
Session-Timeout | RFC 2865 | 27 | Integer | Access-Accept, Access-Challenge | Specifies how long the user session can last before authentication is required. |
State | RFC 2865 | 24 | String | Access-Challenge, Access-Request | Site specific. |
Termination-Action | RFC 2865 | 29 | Integer | Access-Accept | Specifies how the switch should respond to service termination. |
Tunnel-Medium-Type | RFC 2868 | 65 | Integer | Access-Accept | Specifies the transport medium used when creating a tunnel for protocols (for example, VLANs) that can operate over multiple transports. |
Tunnel-Private-Group-ID | RFC 2868 | 81 | String | Access-Accept | Specifies the VLAN (Virtual LAN) ID of the destination VLAN after successful authentication; used to derive the VLAN name. |
Tunnel-Type | RFC 2868 | 64 | Integer | Access-Accept | Specifies the tunneling protocol that is used. |
User-Password | RFC 2138 | 2 | String | Access-Request | Specifies a password for authentication. |
Because no command line interface (CLI) commands are available to modify the privilege level, access rights are determined when you log in. For a RADIUS server to identify the administrative privileges of a user, Extreme Networks switches expect a RADIUS server to transmit the Service-Type attribute in the Access-Accept packet, after successfully authenticating the user.
Extreme Networks switches grant a RADIUS-authenticated user read-write privilege if a Service-Type value of 6 is transmitted as part of the Access-Accept message from the RADIUS server. Other Service-Type values or no value, result in the switch granting read-only access to the user. Different implementations of RADIUS handle attribute transmission differently. You should consult the documentation for your specific implementation of RADIUS when you configure users for read-write access.