Defining VLAN/NSI Mappings with RADIUS Standards Attributes or VSAs
There are two ways to define the VLAN/NSI mapping using a combination of RADIUS Standards (RFC2868 and RFC3580) Attributes and/or Vendor Specific Attributes (VSAs).
- The presently supported RFC3580 VLAN can be associated with
newly introduced Extreme Networks VSAs.
- RFC2868 & RFC3580 RADIUS
Attributes:
- Attribute 64: Tunnel-Type = VLAN (13)
- Attribute 65: Tunnel-Medium-Type = 802
- Attribute 81: Tunnel-Private-Group-Id=<VlanID>
- Extreme Networks VSAs:
- Attribute 230: Extreme-NSI-Type
- Attribute 231: Extreme-NSI-ID
If configuring these attributes manually, care must be taken. Extreme-NSI-Type and Extreme-NSI-ID values require a “tag” byte to allow for multiple attribute pairs to be specified in the same RADIUS response (For example, in FreeRADIUS this is annotated with “has_tag”). At present, only one Type/ID pair is used. If more than one pair is present, the entry with the lowest tag value is used. This is associated with the Tunnel-Private-Group-Id‘s VLAN. Note that although the Tunnel-Private-Group-id attribute also supports an optional “tag” value as well, for backwards compatibility it is not currently used. Whether or not a “tag” value is specified in the Tunnel-Private-Group-Id attribute, it is matched to the Extreme-NSI-ID. Future releases may place additional restrictions on mismatched tags between the Tunnel-Private-Group-Id attribute and the Extreme-NSI-ID attribute.
- RFC2868 & RFC3580 RADIUS
Attributes:
- Alternatively, an existing Nortel/Avaya attribute can also be used. The attribute is of the
form “VLAN:NSI”. As the VLAN is specified within the attribute, RFC2868 and
RFC3580 attributes are not required:
- Attribute 171: Fabric-Attach-ISID

Note
If both attributes are present in the RADIUS attributes returned, the Extreme VSAs is used.
Note
Policy and RADIUS authentication is performed per-user, which means NSI mappings are also specified per user. Unless a common policy profile is used, you cannot prevent different users from mapping a VLAN to different NSI values.