This example demonstrates how to configure a RADIUS (Remote Authentication Dial In User Service) server and Universal Port for user login. The first part of the example shows the RADIUS server configuration. For more information on RADIUS server configuration, see Security.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB
# Configure the RADIUS server for the userID and password pair.
# For FreeRADIUS, edit the users file located at /etc/raddb/users as shown in the
# following lines.
#
#Sample entry of using an individual MAC addresses
00040D50CCC3 Auth-Type := EAP, User-Password == "00040D50CCC3"
Extreme-Security-Profile = "phone LOGOFF-PROFILE=clearport;",
Extreme-Netlogin-VLAN = voice
#Sample entry of using wildcard MAC addresses (OUI Method)
00040D000000 Auth-Type := EAP, User-Password == "1234"
Extreme-Security-Profile = "phone LOGOFF-PROFILE=clearport;",
Extreme-Netlogin-VLAN = voice
#Sample entry of using numeric UserID and password
10284 Auth-Type := EAP, User-Password == "1234"
Extreme-Security-Profile = "voip LOGOFF-PROFILE=voip",
Extreme-Netlogin-Vlan = voice
#Sample entry of using a text UserID and password
Sales Auth-Type := EAP, User-Password == "Money"
Extreme-Security-Profile = "Sales-qos LOGOFF-PROFILE=Sales-qos",
Extreme-Netlogin-Vlan = v-sales
# Define the Extreme custom VSAs on RADIUS.
# For FreeRADIUS, edit the dictionary file located at //etc/raddb/dictionary to
# include the following details:
VENDOR Extreme 1916
ATTRIBUTE Extreme-CLI-Authorization 201 integer Extreme
ATTRIBUTE Extreme-Shell-Command 202 string Extreme
ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme
ATTRIBUTE Extreme-Netlogin-Url 204 string Extreme
ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme
ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme
ATTRIBUTE Extreme-User-Location 208 string Extreme
ATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer Extreme
ATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string Extreme
ATTRIBUTE Extreme-Security-Profile 212 string Extreme
ATTRIBUTE Extreme-CLI-Profile 213 string Extreme
VALUE Extreme-CLI-Authorization Disabled 0
VALUE Extreme-CLI-Authorization Enabled 1
VALUE Extreme-Netlogin-Only Disabled 0
VALUE Extreme-Netlogin-Only Enabled 1
# End of Dictionary
# Add the switch as an authorized client of the RADIUS server.
# For FreeRADIUS, edit the file located at //etc/raddb/clients.conf to include the
# switches as details:
#
client 192.168.10.4 {
secret = purple
shortname = SummitX
# End of clients.conf
The rest of this example demonstrates the configuration that takes place at the ExtremeXOS switch:
# Create the universal port profile for user-authenticate: * switch 1 # create upm profile phone Start typing the profile and end with a . as the first and the only character on a line. Use - edit upm profile <name> - for block mode capability create log message Starting_Script_Phone set var callServer 192.168.10.204 set var fileServer 192.168.10.194 set var voiceVlan voice set var CleanupProfile CleanPort set var sendTraps false # create log message Starting_AUTH-VOIP_Port_$EVENT.USER_PORT #****************************************************** # adds the detected port to the device "unauthenticated" profile port list #****************************************************** create log message Updating_Unauthenticated_Port_List_Port_$EVENT.USER_PORT #****************************************************** # Configure the LLDP options that the phone needs #****************************************************** configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme call-server $callServer configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme file-server $fileServer configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme dot1q-framing tagged configure lldp port $EVENT.USER_PORT advertise vendor-specific med capabilities # If port is PoE capable, uncomment the following lines #create log message UPM_Script_A-Phone_Finished_Port_$EVENT.USER_PORT . switch 2 # # # Create the universal port profile for user-unauthenticate on the switch: # switch 1 # create upm profile clearport Start typing the profile and end with a . as the first and the only character on a line. Use - edit upm profile <name> - for block mode capability create log message STARTING_Script_CLEARPORT_on_$EVENT.USER_PORT unconfigure lldp port $EVENT.USER_PORT create log message LLDP_Info_Cleared_on_$EVENT.USER_PORT unconfigure inline-power operator-limit ports $EVENT.USER_PORT create log message POE_Settings_Cleared_on_$EVENT.USER_PORT create log message FINISHED_Script_CLEARPORT_on_$EVENT.USER_PORT . * switch 2 # # Configure RADIUS on the edge switch. # * switch 4 # config radius primary server 192.168.11.144 client-ip 192.168.10.4 vr "VR-Default" * switch 5 # config radius primary shared-secret purple # Configure Network Login on the edge switch. # For Network Login 802.1X, use the following command: * switch 7 # create vlan nvlan * switch 8 # config netlogin vlan nvlan * switch 9 # enable netlogin dot1x * switch 10 # enable netlogin ports 11-20 mode mac-based-vlans * switch 11 # enable radius netlogin # # For Network Login MAC-based or OUI method, use the following command: * switch 7 # create vlan nvlan * switch 8 # config netlogin vlan nvlan * switch 9 # enable netlogin mac * switch 10 # config netlogin add mac-list 00:04:0D:00:00:00 24 1234 * switch 11 # enable radius netlogin # Assign the user-authenticate profile to the edge port. # * switch 12 # configure upm event user-authenticate profile "phone" ports 11-20 * switch 13 # # Assign the user-unauthenticate profile to the edge port. # * switch 14 # configure upm event user-unauthenticated profile "clearport" ports 11-20 * switch 15 # # Check that the correct profiles are assigned to the correct ports. # * switch 16 # show upm profile =========================================================== UPM Profile Events Flags Ports =========================================================== phone User-Authenticated e 11-20 clearport User-Unauthenticated e 11-20 =========================================================== Number of UPM Profiles: 5 Number of UPM Events in Queue for execution: 0 Flags: d - disabled, e - enabled Event name: log-message(Log filter name) - Truncated to 20 chars # Enable LLDP message advertisements on the ports. # * switch 17 # enable lldp ports 11-20