Defining VLAN/NSI Mappings with RADIUS Standards Attributes or VSAs

There are two ways to define the VLAN/NSI mapping using a combination of RADIUS Standards (RFC2868 and RFC3580) Attributes and/or Vendor Specific Attributes (VSAs).

  1. The presently supported RFC3580 VLAN can be associated with newly introduced Extreme Networks VSAs.
    • RFC2868 & RFC3580 RADIUS Attributes:
      • Attribute 64: Tunnel-Type = VLAN (13)
      • Attribute 65: Tunnel-Medium-Type = 802
      • Attribute 81: Tunnel-Private-Group-Id=<VlanID>
    • Extreme Networks VSAs:
      • Attribute 230: Extreme-NSI-Type
      • Attribute 231: Extreme-NSI-ID

    If configuring these attributes manually, care must be taken. Extreme-NSI-Type and Extreme-NSI-ID values require a “tag” byte to allow for multiple attribute pairs to be specified in the same RADIUS response (For example, in FreeRADIUS this is annotated with “has_tag”). At present, only one Type/ID pair is used. If more than one pair is present, the entry with the lowest tag value is used. This is associated with the Tunnel-Private-Group-Id‘s VLAN. Note that although the Tunnel-Private-Group-id attribute also supports an optional “tag” value as well, for backwards compatibility it is not currently used. Whether or not a “tag” value is specified in the Tunnel-Private-Group-Id attribute, it is matched to the Extreme-NSI-ID. Future releases may place additional restrictions on mismatched tags between the Tunnel-Private-Group-Id attribute and the Extreme-NSI-ID attribute.

  2. Alternatively, an existing Nortel/Avaya attribute can also be used. The attribute is of the form “VLAN:NSI”. As the VLAN is specified within the attribute, RFC2868 and RFC3580 attributes are not required:
    • Attribute 171: Fabric-Attach-ISID


If both attributes are present in the RADIUS attributes returned, the Extreme VSAs is used.
Starting with ExtremeXOS 22.5, policy can configure NSI mappings based on the RADIUS-returned “policy name”. This allows the mappings to be derived from the RADIUS configuration and avoid configuration conflicts between users. This makes it easier for all users that match a policy profile to get the same mapping.


Policy and RADIUS authentication is performed per-user, which means NSI mappings are also specified per user. Unless a common policy profile is used, you cannot prevent different users from mapping a VLAN to different NSI values.