LDAP Configuration Example

This configuration example is for Summit switches, but can also be used for other Extreme switches that support 802.1X.

Use the following commands to activate the switch for 802.1X port-based authentication:

create vlan voice
create vlan data
create vlan ldap
configure voice tag 10
configure data tag 20
configure ldap ipaddress 192.168.1.1/24
cnable ipforwarding
create vlan nvlan
en netlogin dot1x
en netlogin port 13-24 dot1x
configure radius netlogin primary server 192.168.1.2 1812 client-ip 192.168.1.1 vr VR-Default
configure radius netlogin primary shared-secret extreme1
enable radius netlogin
enable netlogin dot1x

Configure the ports to run a script when a user is authenticated through RADIUS (Remote Authentication Dial In User Service) and LDAP:

configure upm event user-authenticate profile a-avaya ports 1-23
LDAP UID entries:

In the LDAP phone UID entry in the users file, use the following attribute to specify a profile to run on the switch:

Extreme-Security-Profile

To add the port as tagged in the voice VLAN (Virtual LAN), use the following attribute in the users file:

Extreme-Netlogin-Extended-Vlan = TVoice (use UData for a PC)
Note

Note

It depends on the end-station to determine the fields required for authentication; XP uses EAP-PEAP and must have encrypted fields for the UID password. Avaya phones authenticate with MD-5 and must have an unencrypted field in LDAP.

Scripts

The following a-avaya script tells the phone to configure itself in the voice VLAN, and to send tagged frames.

The script also informs the phone of the file server and call server:

create upm profile a-avaya
create log message Starting_UPM_Script_AUTH-AVAYA
set var callServer 10.147.12.12
set var fileServer 10.147.10.3
set var voiceVlan voice
set var CleanupProfile CleanPort
set var sendTraps false
#
create log message Starting_UPM_AUTH-AVAYA_Port_$EVENT.USER_PORT
#*********************************************************
# adds the detected port to the device "unauthenticated" profile port list
#*********************************************************
create log message Updating_Unauthenticated_Port_List_Port_$EVENT.USER_PORT
#configure upm event user-unauthenticated profile CleanupProfile ports $EVENT.USER_PORT
#*********************************************************
# Configure the LLDP options that the phone needs
#*********************************************************
configure lldp port $EVENT.USER_PORT advertise vendor-specific dot1 vlan-name vlan $voiceVlan
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme call-server $callServer
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme file-server $fileServer
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme dot1q-framing tagged
configure lldp port $EVENT.USER_PORT advertise vendor-specific med capabilities
#configure lldp port $EVENT.USER_PORT advertise vendor-specific med policy application voice vlan $voiceVlan dscp 46
# If port is PoE capable, uncomment the following lines
#***************************************************************
# Configure the POE limits for the port based on the phone requirement
#***************************************************************
configure lldp port $EVENT.USER_PORT advertise vendor-specific med power-via-mdi
#configure inline-power operator-limit $EVENT.DEVICE_POWER ports $EVENT.USER_PORT
create log message UPM_Script_A-AVAYA_Finished_Port_$EVENT.USER_PORT
Note

Note

Parts of the scripts make use of the QP8 profile. This is NOT recommended because the QP8 profile is used by EAPS (Extreme Automatic Protection Switching). For voice, use QP7 for QOS.

This script uses tagging for the phone and the ports for the voice VLAN. This is NOT necessary; use multiple supplicant and untagged for the phones.