VSA Definitions for Web-Based, MAC-Based, and 802.1X Network Login contains the Vendor Specific Attribute (VSA) definitions that a RADIUS server can send to an Extreme switch after successful authentication.
These attributes must be configured on the RADIUS server along with the Extreme Networks Vendor ID, which is 1916.
VSA | Attribute Type | Format | Sent-in | Description |
---|---|---|---|---|
Extreme-CLI-Authorization | 201 | Integer | Access-Accept | Specifies whether command authorization is to be enabled or disabled for the user on the ExtremeXOS switch. |
Extreme-Netlogin-VLAN-Name | 203 | String | Access-Accept | Name of destination VLAN after successful authentication (must already exist on switch). |
Extreme-Netlogin-URL | 204 | String | Access-Accept | Destination web page after successful authentication. |
Extreme-Netlogin-URL-Desc | 205 | String | Access-Accept | Text description of network login URL attribute. |
Extreme-Netlogin-Only | 206 | Integer | Access-Accept | Indication of whether the user can authenticate using other means, such as telnet, console, SSH, or Vista. A value of “1” (enabled) indicates that the user can only authenticate via network login. A value of “0” (disabled) indicates that the user can also authenticate via other methods. |
Extreme-User-Location | 208 | String | ||
Extreme-Netlogin-VLAN-ID | 209 | Integer | Access-Accept | ID of destination VLAN after successful authentication (except for dynamic VLANs, must already exist on switch). |
Extreme-Netlogin-Extended-VLAN | 211 | String | Access-Accept | Name or ID of the destination
VLAN after successful authentication (must already exist on
switch). Note: When using this attribute,
specify whether the port should be moved tagged or untagged to
the VLAN. See the guidelines listed in the section VSA 211: Extreme-Netlogin-Extended-Vlan for more
information.
|
Extreme-Security-Profile | 212 | String | Access-Accept | Specifies a universal port profile to execute on the switch. For more information, see Universal Port. |
EXTREME_VM_NAME | 213 | String | Access-Accept | Specifies the name of the VM that is being authenticated . Example: MyVM1 |
EXTREME_VM_VPP_NAME | 214 | String | Access-Accept | Specifies the VPP to which the VM is to be mapped. Example: nvpp1 |
EXTREME_VM_IP_ADDR | 215 | String | Access-Accept | Specifies the IP address of the VM . Example: 11.1.1.254 |
EXTREME_VM_CTag | 216 | Integer | Access-Accept | Specifies the ID or tag of the destination VLAN for the VM . Example: 101 |
EXTREME_VM_VR_Name | 217 | String | Access-Accept | Specifies the VR in which the destination VLAN is to be placed. Example : UserVR1 |
The examples in the following sections are formatted for use in the FreeRADIUS users file. If you use another RADIUS server, the format might be different.
Note
For information on how to use and configure your RADIUS server, refer to the documentation that came with your RADIUS server.
For untagged VLAN movement with 802.1X netlogin, you can use all current Extreme Networks VLAN VSAs: VSA 203, VSA 209, and VSA 211.
This attribute specifies whether command authorization is to be enabled or disabled for the user on the ExtremeXOS switch.
If command authorization is disabled, the user has full access to all CLI commands. If command authorization is enabled, each command the user enters is accepted or rejected based on the contents of the profiles file on the RADIUS server.
When added to the RADIUS users file, the following example enables command authorization for the associated user:
When added to the RADIUS users file, the following example disables command authorization for the associated user:
Extreme: Extreme-CLI-Authorization = disabled
This attribute specifies a destination VLAN name that the RADIUS server sends to the switch after successful authentication.
The VLAN must already exist on the switch. When the switch receives the VSA, it adds the authenticated user to the VLAN.
If none of the previously described attributes are present ISP mode is assumed, and the client remains in the configured VLAN.
When added to the RADIUS users file, the following example specifies the destination VLAN name, purple, for the associated user:
Extreme: Extreme-Netlogin-VLAN-Name = purple
The Extreme-NetLogin-Url attribute specifies a web page URL that the RADIUS server sends to the switch after successful authentication. When the switch receives the attribute in response to a web-based network login, the switch redirects the web client to display the specified web page. If a login method other than web-based is used, the switch ignores this attribute.
The following example specifies the redirection URL to use after successful authentication.
To configure the redirect URL as http://www.myhomepage.com, add the following line:
Extreme: Netlogin-URL = http://www.myhomepage.com
The Extreme-NetLogin-Url-Desc attribute provides a redirection description that the RADIUS server sends to the switch after successful authentication. When the switch receives this attribute in response to a web-based network login, the switch temporarily displays the redirect message while the web client is redirected to the web page specified by attribute 204. If a login method other than web-based is used, the switch ignores this attribute.
The following example specifies a redirect description to send to the switch after successful authentication:
Extreme: Netlogin-URL-Desc = "Authentication successful. Stand by for the home page."
The Extreme-Netlogin-Only attribute can be used to allow normal authentication or restrict authentication to only the network login method.
When this attribute is assigned to a user and authentication is successful, the RADIUS server sends the configured value back to the switch. The configured value is either disabled or enabled.
The Extreme switch uses the value received from the RADIUS server to determine if the authentication is valid. If the configured value is disabled, all normal authentication processes are supported (Telnet and SSH, for example), so the switch accepts the authentication. If the configured value is enabled, the switch verifies whether network login was used for authentication. If network login was used for authentication, the switch accepts the authentication. If an authentication method other than network login was used, the switch rejects the authentication.
Add the following line to the RADIUS server users file for users who are not restricted to network login authentication:
Extreme:Extreme-Netlogin-Only = Disabled
Add the following line to the RADIUS server users file for users who are restricted to network login authentication:
Extreme:Extreme-Netlogin-Only = Enabled
To reduce the quantity of information sent to the switch, the RADIUS server sends either a 1 for the enabled configuration or a 0 for the disabled configuration.
These values must be configured in the RADIUS dictionary file as shown in Configuring the Dictionary File.
This attribute specifies a destination VLAN ID (or VLAN tag) that the RADIUS server sends to the switch after successful authentication.
The VLAN must already exist on the switch. When the switch receives the VSA, it adds the authenticated user to the VLAN.
If none of the previously described attributes are present ISP mode is assumed, and the client remains in the configured VLAN.
When added to the RADIUS users file, the following example specifies the destination VLAN ID, 234, for the associated user:
Extreme:Extreme-Netlogin-VLAN-ID = 234
This attribute specifies one or more destination VLANs that the RADIUS server sends to the switch after successful authentication.
You can specify VLANS by VLAN name or ID (tag). The VLANs may either already exist on the switch or, if you have enabled dynamic VLANs and a non-existent VLAN tag is given, the VLAN is created.
In cases where the client is already authenticated, if a single VLAN move fails from a list of VLANs in the VSA and the move-fail-action is authenticate, then it is left as-is. If the client is not already authenticated (first time authentication), then it is authenticated on learnedOnVlan if possible. If move-fail-action is deny then the client is unauthenticated from all the VLANs where it is currently authenticated. There is no partial success.
Note
If there is one or more invalid VLAN in the VSA, the supplicant is not authenticated on any one of them.For example, if the VSA is Uvoice;Tdata and the VLAN data does not have a tag or the VLAN does not exist, then the port movement fails. Even if a single VLAN in the list is invalid the entire list is discarded and the action taken is based on move-fail-action configuration.