Defining VLAN/NSI Mappings with RADIUS Standards Attributes or VSAs

There are two ways to define the VLAN/NSI mapping using a combination of RADIUS Standards (RFC2868 and RFC3580) Attributes and/or Vendor Specific Attributes (VSAs).

  1. The presently supported RFC3580 VLAN can be associated with newly introduced Extreme Networks VSAs.
    • RFC2868 & RFC3580 RADIUS Attributes:
      • Attribute 64: Tunnel-Type = VLAN (13)
      • Attribute 65: Tunnel-Medium-Type = 802
      • Attribute 81: Tunnel-Private-Group-Id=<VlanID>
    • Extreme Networks VSAs:
      • Attribute 230: Extreme-NSI-Type
      • Attribute 231: Extreme-NSI-ID

    If configuring these attributes manually, care must be taken. Extreme-NSI-Type and Extreme-NSI-ID values require a “tag” byte to allow for multiple attribute pairs to be specified in the same RADIUS response (For example, in FreeRADIUS this is annotated with “has_tag”). At present, only one Type/ID pair is used. If more than one pair is present, the entry with the lowest tag value is used. This is associated with the Tunnel-Private-Group-Id‘s VLAN. Note that although the Tunnel-Private-Group-id attribute also supports an optional “tag” value as well, for backwards compatibility it is not currently used. Whether or not a “tag” value is specified in the Tunnel-Private-Group-Id attribute, it is matched to the Extreme-NSI-ID. Future releases may place additional restrictions on mismatched tags between the Tunnel-Private-Group-Id attribute and the Extreme-NSI-ID attribute.

  2. Alternatively, an existing Nortel/Avaya attribute can also be used. The attribute is of the form “VLAN:NSI”. As the VLAN is specified within the attribute, RFC2868 and RFC3580 attributes are not required:
    • Attribute 171: Fabric-Attach-ISID
Note

Note

If both attributes are present in the RADIUS attributes returned, the Extreme VSAs is used.
Starting with ExtremeXOS 22.5, policy can configure NSI mappings based on the RADIUS-returned “policy name”. This allows the mappings to be derived from the RADIUS configuration and avoid configuration conflicts between users. This makes it easier for all users that match a policy profile to get the same mapping.
Note

Note

Policy and RADIUS authentication is performed per-user, which means NSI mappings are also specified per user. Unless a common policy profile is used, you cannot prevent different users from mapping a VLAN to different NSI values.