With EAP and FA, FA-capable switches or stacks can forward traffic from EAP/NEAP clients over the SPB coud. The traffic for authenticated clients is mapped to I-SIDs received from the Extreme Management Center Access Control RADIUS server.
You must configure the desired bindings for EAP/NEAP clients on the RADIUS server. When confirming the authentication request, the RADIUS server also sends the corresponding binding for the EAP/NEAP client.
After an EAP/NEAP client is disconnected, the switch cleans-up the binding associated with the client, if no other EAP/NEAP client on that port uses it.
When an EAP/NEAP client successfully authenticates on the ISW FA Client, the client port becomes a member of the VLAN from the I-SID/VLAN pair. The ISW FA Client sends to the FA Server/FA Proxy the binding received from the RADIUS server.
Port-based 802.1X: EAPoL authentication with Single-Host-Single-Authentication behavior (SHSA). This mode works with Fabric Attach RADIUS attributes.
Single 802.1X: EAPoL authentication with Multiple-Host-Single-Authentication behavior (MHSA). This mode works with Fabric Attach RADIUS attributes.
Multi 802.1X: EAPoL authentication with Multiple-Host-Multiple-Authentication behavior (MHMA). This mode does NOT work with Fabric Attach RADIUS attributes.
MAC-based: RADIUS MAC authentication (NEAP) with Single-Host-Single-Authentication behavior (SHSA). This mode works with Fabric Attach RADIUS attributes.
Note
The ISW can support MHMA in the MAC-based mode, but the last assigned RADIUS FA VLAN will apply to all authorized MACs on the port.
Note
Do not use NEAP (MAC-based mode) to connect Extreme WLAN Access Point FA Clients or to provision the ISW access port with the necessary VLANs. There are two reasons for this. First, the ISW can accept only one VLAN/I-SID binding per port. Second, a WLAN Access Point bridges wireless user MACs into the same ISW authorized port and would therefore require MHSA support, which the ISW provides only in EAP Single 802.1X mode.
The following is a list of VSAs added to support EAP FA functionality:
Extreme-Fabric-Attach-VLAN-ISID
This VSA consists of a (VLAN, I-SID) pair.
Multiple (VLAN, I-SID) pairs are processed only in MHSA mode.
Extreme-Fabric-Attach-VLAN-Create
If this VSA is set to TRUE, the VLANs received in all (VLAN, I-SID) pairs will be automatically created if they do not exist. This VSA is processed only in MHSA and MHMV modes.
Extreme-Fabric-Attach-VLAN-PVID
This VSA contains the value of the PVID that should be set on the port with the authenticated client.
Note
In the ISW FA implementation, the Fabric-Attach-VLAN-PVID attribute must always be supplied. This attribute determines what VLAN is set as access VLAN on the ISW switch port.
Extreme-Fabric-Attach-Mode
0 or not sent, when Switch is assumed to have no concept of SPB/AutoProv
1, when the switch is an FA Server in VLAN provision mode
2, when the switch is an FA Server in SPBM mode
3, when the switch is an FA Proxy with the connected FA Server in VLAN provision mode
4, when the switch is an FA Proxy with the connected FA Server in SPBM mode
5 , when the switch is a FA Standalone Proxy
Extreme-Fabric-Attach-Client-Type
This VSA can have the following values:
1, FA Element Type Other
2, FA Server
3, FA Proxy
4, FA Server No Authentication
5, FA Proxy No Authentication
6, FA Client – Wireless AP Type 1 [clients direct network attachment]
7, FA Client – Wireless AP Type 2 [clients tunneled to controller]
Fabric-Attach-Client-PSK
This VSA can have the following values:
Not sent when PSK used unknown
0, When Dual-key authentication is disabled
10, When FA Client Failed FA TLV authentication using Default PSK
11, When FA Client Passed FA TLV authentication using Default PSK
100, When FA Client Failed FA TLV authentication using User Defined PSK
101, When FA Client Passed FA TLV authentication using User Defined PSK
Extreme-Fabric-Attach-Client-Id
This VSA contains the MAC address of the FA client, exported via FA Signaling.