Sample Configuration with User-Triggered Profiles

This example demonstrates how to configure a RADIUS server and Universal Port for user login. The first part of the example shows the RADIUS server configuration. For more information on RADIUS server configuration, see Security.

# Configure the RADIUS server for the userID and password pair.
# For FreeRADIUS, edit the users file located at /etc/raddb/users as shown in the 
# following lines.
#
#Sample entry of using an individual MAC addresses
00040D50CCC3    Auth-Type := EAP, User-Password == "00040D50CCC3"
Extreme-Security-Profile = "phone LOGOFF-PROFILE=clearport;",
Extreme-Netlogin-VLAN = voice
#Sample entry of using wildcard MAC addresses (OUI Method)
00040D000000    Auth-Type := EAP, User-Password == "1234"
Extreme-Security-Profile = "phone LOGOFF-PROFILE=clearport;",
Extreme-Netlogin-VLAN = voice
#Sample entry of using numeric UserID and password
10284    Auth-Type := EAP, User-Password == "1234"
Extreme-Security-Profile = "voip LOGOFF-PROFILE=voip",
Extreme-Netlogin-Vlan = voice
#Sample entry of using a text UserID and password
Sales    Auth-Type := EAP, User-Password == "Money"
Extreme-Security-Profile = "Sales-qos LOGOFF-PROFILE=Sales-qos",
Extreme-Netlogin-Vlan = v-sales
# Define the Extreme custom VSAs on RADIUS.
# For FreeRADIUS, edit the dictionary file located at //etc/raddb/dictionary to
# include the following details:
VENDOR          Extreme         1916
ATTRIBUTE       Extreme-CLI-Authorization       201     integer Extreme
ATTRIBUTE       Extreme-Shell-Command           202     string  Extreme
ATTRIBUTE       Extreme-Netlogin-Vlan           203     string  Extreme
ATTRIBUTE       Extreme-Netlogin-Url            204     string  Extreme
ATTRIBUTE       Extreme-Netlogin-Url-Desc       205     string  Extreme
ATTRIBUTE       Extreme-Netlogin-Only           206     integer Extreme
ATTRIBUTE       Extreme-User-Location           208     string  Extreme
ATTRIBUTE       Extreme-Netlogin-Vlan-Tag       209     integer Extreme
ATTRIBUTE       Extreme-Netlogin-Extended-Vlan  211     string  Extreme
ATTRIBUTE       Extreme-Security-Profile        212     string  Extreme
ATTRIBUTE       Extreme-CLI-Profile             213     string  Extreme

VALUE   Extreme-CLI-Authorization       Disabled        0
VALUE   Extreme-CLI-Authorization       Enabled         1
VALUE   Extreme-Netlogin-Only           Disabled        0
VALUE   Extreme-Netlogin-Only           Enabled         1
# End of Dictionary
# Add the switch as an authorized client of the RADIUS server.
# For FreeRADIUS, edit the file located at //etc/raddb/clients.conf to include the
# switches as details:
#
client   192.168.10.4 {
secret = purple
shortname = SummitX
# End of clients.conf

The rest of this example demonstrates the configuration that takes place at the ExtremeXOS switch:

# Create the universal port profile for user-authenticate:
* switch 1 # create upm profile phone
Start typing the profile and end with a . as the first and the only character on a line.
Use - edit upm profile <name> - for block mode capability
create log message Starting_Script_Phone
set var callServer 192.168.10.204
set var fileServer 192.168.10.194
set var voiceVlan voice
set var CleanupProfile CleanPort
set var sendTraps false
#
create log message Starting_AUTH-VOIP_Port_$EVENT.USER_PORT
#******************************************************
# adds the detected port to the device "unauthenticated" profile port list
#******************************************************
create log message Updating_Unauthenticated_Port_List_Port_$EVENT.USER_PORT
#******************************************************
# Configure the LLDP options that the phone needs
#******************************************************
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme call-server $callServer
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme file-server $fileServer
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme dot1q-framing tagged
configure lldp port $EVENT.USER_PORT advertise vendor-specific med capabilities
# If port is PoE capable, uncomment the following lines
#create log message UPM_Script_A-Phone_Finished_Port_$EVENT.USER_PORT
.
switch 2 #
#
# Create the universal port profile for user-unauthenticate on the switch:
#
switch 1 # create upm profile clearport
Start typing the profile and end with a . as the first and the only character on a line.
Use - edit upm profile <name> - for block mode capability
create log message STARTING_Script_CLEARPORT_on_$EVENT.USER_PORT
unconfigure lldp port $EVENT.USER_PORT
create log message LLDP_Info_Cleared_on_$EVENT.USER_PORT
unconfigure inline-power operator-limit ports $EVENT.USER_PORT
create log message POE_Settings_Cleared_on_$EVENT.USER_PORT
create log message FINISHED_Script_CLEARPORT_on_$EVENT.USER_PORT
.
* switch 2 #
# Configure RADIUS on the edge switch.
#
* switch 4 # config radius primary server 192.168.11.144 client-ip 192.168.10.4 vr "VR-Default"
* switch 5 # config radius primary shared-secret purple
# Configure Network Login on the edge switch.
#
For Network Login 802.1X, use the following command:
* switch 7 # create vlan nvlan
* switch 8 # config netlogin vlan nvlan
* switch 9 # enable netlogin dot1x
* switch 10 # enable netlogin ports 11-20 mode mac-based-vlans
* switch 11 # enable radius netlogin
#
# For Network Login MAC-based or OUI method, use the following command:
* switch 7 # create vlan nvlan
* switch 8 # config netlogin vlan nvlan
* switch 9 # enable netlogin mac
* switch 10 # config netlogin add mac-list 00:04:0D:00:00:00 24 1234
* switch 11 # enable radius netlogin
# Assign the user-authenticate profile to the edge port.
#
* switch 12 # configure upm event user-authenticate profile "phone" ports 11-20
* switch 13 #
# Assign the user-unauthenticate profile to the edge port.
#
* switch 14 # configure upm event user-unauthenticated profile "clearport" ports 11-20
* switch 15 #
# Check that the correct profiles are assigned to the correct ports.
#
* switch 16 # show upm profile
===========================================================
UPM Profile          Events               Flags Ports
===========================================================
phone                User-Authenticated      e  11-20
clearport          User-Unauthenticated      e  11-20
===========================================================
Number of UPM Profiles: 5
Number of UPM Events in Queue for execution: 0
Flags: d - disabled, e - enabled
Event name: log-message(Log filter name) - Truncated to 20 chars
# Enable LLDP message advertisements on the ports.
#
* switch 17 # enable lldp ports 11-20