ExtremeXOS® User Guide

VSA Definitions for Web-Based, MAC-Based, and 802.1X Network Login contains the Vendor Specific Attribute (VSA) definitions that a RADIUS (Remote Authentication Dial In User Service) server can send to an Extreme switch after successful authentication.

These attributes must be configured on the RADIUS server along with the Extreme Networks Vendor ID, which is 1916.

VSA Definitions for Web-Based, MAC-Based, and 802.1X Network Login

VSA	Attribute Type	Format	Sent-in	Description
Extreme-CLI-Authorization	201	Integer	Access-Accept	Specifies whether command authorization is to be enabled or disabled for the user on the ExtremeXOS switch.
Extreme-Netlogin-VLAN-Name	203	String	Access-Accept	Name of destination VLAN after successful authentication (must already exist on switch).
Extreme-Netlogin-URL	204	String	Access-Accept	Destination web page after successful authentication.
Extreme-Netlogin-URL-Desc	205	String	Access-Accept	Text description of network login URL attribute.
Extreme-Netlogin-Only	206	Integer	Access-Accept	Indication of whether the user can authenticate using other means, such as telnet, console, SSH, or Vista. A value of “1” (enabled) indicates that the user can only authenticate via network login. A value of “0” (disabled) indicates that the user can also authenticate via other methods.
Extreme-User-Location	208	String
Extreme-Netlogin-VLAN-ID	209	Integer	Access-Accept	ID of destination VLAN after successful authentication (except for dynamic VLANs, must already exist on switch).
Extreme-Netlogin-Extended-VLAN	211	String	Access-Accept	Name or ID of the destination VLAN after successful authentication (must already exist on switch). Note: When using this attribute, specify whether the port should be moved tagged or untagged to the VLAN. See the guidelines listed in the section VSA 211: Extreme-Netlogin-Extended-Vlan for more information.
Extreme-Security-Profile	212	String	Access-Accept	Specifies a universal port profile to execute on the switch. For more information, see Universal Port.
EXTREME_VM_NAME	213	String	Access-Accept	Specifies the name of the VM that is being authenticated . Example: MyVM1
EXTREME_VM_VPP_NAME	214	String	Access-Accept	Specifies the VPP to which the VM is to be mapped. Example: nvpp1
EXTREME_VM_IP_ADDR	215	String	Access-Accept	Specifies the IP address of the VM . Example: 11.1.1.254
EXTREME_VM_CTag	216	Integer	Access-Accept	Specifies the ID or tag of the destination VLAN for the VM . Example: 101
EXTREME_VM_VR_Name	217	String	Access-Accept	Specifies the VR in which the destination VLAN is to be placed. Example : UserVR1

The examples in the following sections are formatted for use in the FreeRADIUS users file. If you use another RADIUS server, the format might be different.

Note

For information on how to use and configure your RADIUS server, refer to the documentation that came with your RADIUS server.

For untagged VLAN movement with 802.1X netlogin, you can use all current Extreme Networks VLAN VSAs: VSA 203, VSA 209, and VSA 211.

VSA 201: Extreme-CLI-Authorization

This attribute specifies whether command authorization is to be enabled or disabled for the user on the ExtremeXOS switch.

If command authorization is disabled, the user has full access to all CLI commands. If command authorization is enabled, each command the user enters is accepted or rejected based on the contents of the profiles file on the RADIUS server.

When added to the RADIUS users file, the following example enables command authorization for the associated user:

Extreme: Extreme-CLI-Authorization = enabled

When added to the RADIUS users file, the following example disables command authorization for the associated user:

Extreme: Extreme-CLI-Authorization = disabled

VSA 203: Extreme-Netlogin-VLAN-Name

This attribute specifies a destination VLAN name that the RADIUS server sends to the switch after successful authentication.

The VLAN must already exist on the switch. When the switch receives the VSA, it adds the authenticated user to the VLAN.

The following describes the guidelines for VSA 203:

For untagged VLAN movement with 802.1X netlogin, you can use all current Extreme Networks VLAN VSAs: VSA 203, VSA 209, and VSA 211.
To specify the VLAN name, use an ASCII string.
When using this VSA, do not specify whether the VLAN is tagged or untagged.

Because the RADIUS server can identify a target VLAN with multiple attributes, the switch selects the appropriate VLAN or VLANs using the order:

Extreme-Netlogin-Extended-VLAN (VSA 211)
Extreme-Netlogin-VLAN-Name (VSA 203)
Extreme-Netlogin-VLAN-ID (VSA 209)
Tunnel-Private-Group-ID, but only if Tunnel-Type == VLAN(13) and Tunnel-Medium-Type == 802 (6) (see Standard RADIUS Attributes Used by Extreme Switches)

If none of the previously described attributes are present ISP mode is assumed, and the client remains in the configured VLAN.

When added to the RADIUS users file, the following example specifies the destination VLAN name, purple, for the associated user:

Extreme: Extreme-Netlogin-VLAN-Name = purple

VSA 204: Extreme-Netlogin-URL

The Extreme-NetLogin-Url attribute specifies a web page URL that the RADIUS server sends to the switch after successful authentication. When the switch receives the attribute in response to a web-based network login, the switch redirects the web client to display the specified web page. If a login method other than web-based is used, the switch ignores this attribute.

The following describes the guidelines for VSA 204:

To specify the URL to display after authentication, use an ASCII string.
If you do not specify a URL, the network login infrastructure uses the default redirect page URL, , or the URL that you configured using the configure netlogin redirect-page command.
VSA 204 applies only to the web-based authentication mode of Network Login.

The following example specifies the redirection URL to use after successful authentication.

To configure the redirect URL as http://www.myhomepage.com, add the following line:

Extreme: Netlogin-URL = http://www.myhomepage.com

VSA 205: Extreme-Netlogin-URL-Desc

The Extreme-NetLogin-Url-Desc attribute provides a redirection description that the RADIUS server sends to the switch after successful authentication. When the switch receives this attribute in response to a web-based network login, the switch temporarily displays the redirect message while the web client is redirected to the web page specified by attribute 204. If a login method other than web-based is used, the switch ignores this attribute.

The following describes the guidelines for VSA 205:

To let the user know where they will be redirected to after authentication (specified by VSA 204), use an ASCII string to provide a brief description of the URL.
VSA 205 applies only to the web-based authentication mode of Network Login.

The following example specifies a redirect description to send to the switch after successful authentication:

Extreme: Netlogin-URL-Desc = "Authentication successful. Stand by for the home page."

VSA 206: Extreme-Netlogin-Only

The Extreme-Netlogin-Only attribute can be used to allow normal authentication or restrict authentication to only the network login method.

When this attribute is assigned to a user and authentication is successful, the RADIUS server sends the configured value back to the switch. The configured value is either disabled or enabled.

The Extreme switch uses the value received from the RADIUS server to determine if the authentication is valid. If the configured value is disabled, all normal authentication processes are supported (Telnet and SSH, for example), so the switch accepts the authentication. If the configured value is enabled, the switch verifies whether network login was used for authentication. If network login was used for authentication, the switch accepts the authentication. If an authentication method other than network login was used, the switch rejects the authentication.

Add the following line to the RADIUS server users file for users who are not restricted to network login authentication:

Extreme:Extreme-Netlogin-Only = Disabled

Add the following line to the RADIUS server users file for users who are restricted to network login authentication:

Extreme:Extreme-Netlogin-Only = Enabled

To reduce the quantity of information sent to the switch, the RADIUS server sends either a 1 for the enabled configuration or a 0 for the disabled configuration.

These values must be configured in the RADIUS dictionary file as shown in Configuring the Dictionary File.

VSA 209: Extreme-Netlogin-VLAN-ID

This attribute specifies a destination VLAN ID (or VLAN tag) that the RADIUS server sends to the switch after successful authentication.

The VLAN must already exist on the switch. When the switch receives the VSA, it adds the authenticated user to the VLAN.

The following describes the guidelines for VSA 209:

For untagged VLAN movement with 802.1X netlogin, you can use all current Extreme Networks VLAN VSAs: VSA 203, VSA 209, and VSA 211.
To specify the VLAN ID, use an ASCII string.
When using this VSA, do not specify whether the VLAN is tagged or untagged.

Because the RADIUS server can identify a target VLAN with multiple attributes, the switch selects the appropriate VLAN or VLANs using the order:

Extreme-Netlogin-Extended-VLAN (VSA 211)
Extreme-Netlogin-VLAN-Name (VSA 203)
Extreme-Netlogin-VLAN-ID (VSA 209)
Tunnel-Private-Group-ID, but only if Tunnel-Type == VLAN(13) and Tunnel-Medium-Type == 802 (6) (see Standard RADIUS Attributes Used by Extreme Switches)

If none of the previously described attributes are present ISP mode is assumed, and the client remains in the configured VLAN.

When added to the RADIUS users file, the following example specifies the destination VLAN ID, 234, for the associated user:

Extreme:Extreme-Netlogin-VLAN-ID = 234

VSA 211: Extreme-Netlogin-Extended-Vlan

This attribute specifies one or more destination VLANs that the RADIUS server sends to the switch after successful authentication.

You can specify VLANS by VLAN name or ID (tag). The VLANs may either already exist on the switch or, if you have enabled dynamic VLANs and a non-existent VLAN tag is given, the VLAN is created.

When the switch receives the VSA, it does the following:

Unauthenticates the user on all VLANs where it is currently authenticated during reauthentication.
Authenticates the user on all VLANs in the VSA, or none of them.

In cases where the client is already authenticated, if a single VLAN move fails from a list of VLANs in the VSA and the move-fail-action is authenticate, then it is left as-is. If the client is not already authenticated (first time authentication), then it is authenticated on learnedOnVlan if possible. If move-fail-action is deny then the client is unauthenticated from all the VLANs where it is currently authenticated. There is no partial success.

Note

If there is one or more invalid VLAN in the VSA, the supplicant is not authenticated on any one of them.

For example, if the VSA is Uvoice;Tdata and the VLAN data does not have a tag or the VLAN does not exist, then the port movement fails. Even if a single VLAN in the list is invalid the entire list is discarded and the action taken is based on move-fail-action configuration.

The following describes the guidelines for VSA 211:

For tagged VLAN movement with 802.1X netlogin, you must use VSA 211.
To specify the VLAN name or the VLAN ID, use an ASCII string; however, you cannot specify both the VLAN name and the VLAN ID at the same time. If the string only contains numbers, it is interpreted as the VLAN ID.
A maximum of 10 VLANs are allowed per VSA.
For tagged VLANs, specify T for tagged before the VLAN name or VLAN ID.
For untagged VLANs, specify U for untagged before the VLAN name or VLAN ID.
For movement based on the incoming port‘s traffic, specify the wildcard * before the VLAN name or VLAN ID. The behavior can be either tagged or untagged, based on the incoming port‘s traffic, and mimics the behavior of VSA 203 and VSA 209, respectively.
Multiple VLAN names or VLAN IDs are separated by semicolons. When multiple vlans are defined in single VSA 211, the wildcard * is not allowed.
There cannot be more than one untagged VLAN in a single VSA.
The same VLAN cannot be both untagged and tagged in a single VSA.
A client or supplicant can be authenticated in a only one untagged VLAN.
The ports configured for an untagged VLAN different from the netlogin VLAN can never be added tagged to the same VLAN.
A port can be in more than one untagged VLAN when MAC-based VLANs are enabled.

When added to the RADIUS users file, the following examples specify VLANs for the switch to assign after authentication:

Extreme-Netlogin-Extended-VLAN = Tvoice (Tagged VLAN named voice)
Extreme-Netlogin-Extended-VLAN = Udata (Untagged VLAN named data)
Extreme-Netlogin-Extended-VLAN = *orange (VLAN named orange, tagging dependent on incoming traffic)
Extreme-Netlogin-Extended-VLAN = T229 (Tagged VLAN with ID 229)
Extreme-Netlogin-Extended-VLAN = U4091 (Untagged VLAN with ID 4091)
Extreme-Netlogin-Extended-VLAN = *145 (VLAN with ID 145, tagging dependent on incoming traffic)
in FreeRADIUS, a tagged VLAN voice and a tagged VLAN mktg would be configured as the following:
Extreme-Netlogin-Extended-VLAN = "Tvoice;Tmktg;"

An untagged VLAN data and a tagged VLAN mktg is configured as the following:

Extreme-Netlogin-Extended-VLAN = "Udata;Tmktg;"

A tagged VLAN with VLAN ID 229 and a tagged VLAN with VLAN ID 227 is configured in FreeRADIUS as the following:

Extreme-Netlogin-Extended-VLAN = "T229;T227;"

An untagged VLAN with VLAN ID 4091 and a tagged VLAN with VLAN ID 2001 is configured as the following:

Extreme-Netlogin-Extended-VLAN = "U4091;T2001;"

VSA 212: Extreme-Security-Profile

This attribute specifies a profile name that the RADIUS server sends to the switch after successful authentication. The switch uses this profile name to run a special type of script called a profile. The profile is stored on the switch and can be used to modify the switch configuration in response to authentication. Profiles are created using the Universal Port feature, which is described in Universal Port.

The following describes the guidelines for VSA 212:

This VSA must contain a profile name.
This VSA can include optional variables for use in profile execution.
The variable entry format is: <var1>=<value1>;<var2>=<value2>;…
Each profile variable must be separated from the others by a semicolon.

When added to the RADIUS users file, the following example provides to the switch the profile name p1, variable QOS=QP8, and variable LOGOFF-PROFILE=P2:

EXTREME-SECURITY-PROFILE= "p1 QOS=\"QP8\";LOGOFF-PROFILE=P2;"

VSA 213: EXTREME_VM_NAME

This VSA is used in context with the Extreme Network Virtualization (XNV) feature, especially with the NMS authentication of VMs. Use this VSA to specify the name of the VM that is being authenticated. An example would be: MyVM1

VSA 214: EXTREME_VM_VPP_NAME

This VSA is used in context with the XNV feature, especially with the NMS authentication of VMs. Use this VSA to specify the VPP to which the VM is to be mapped. An example would be: nvpp1

VSA 215: EXTREME_VM_IP_ADDR

This VSA is used in context with the XNV feature, especially with the NMS authentication of VMs. Use this VSA to specify the IP address of the VM. An example would be: 11.1.1.254

VSA 216: EXTREME_VM_VLAN_ID

This VSA corresponds to XNV with Dynamic VLANs. Use this VSA to specify the ID or tag of the destination VLAN for the VM. An example would be: 101

VSA 217: EXTREME_VM_VR_NAME

This VSA corresponds to XNV with Dynamic VLANs. Use this VSA to specify the VR in which the destination VLAN is to be placed. An example would be: UserVR1

Extreme Networks VSAs