Standard RADIUS Attributes Used by Extreme Switches

The ExtremeXOS software uses standard RADIUS attributes to send information in an Access-Request message to a RADIUS server.

The software also accepts some standard RADIUS attributes in the Access-Accept message that the RADIUS server sends to the switch after successful authentication. The switch ignores attributes that it is not programmed to use.

Standard RADIUS Attributes Used by Network Login lists the standard RADIUS attributes used by the ExtremeXOS software.

Table 1. Standard RADIUS Attributes Used by Network Login
Attribute RFC Attribute Type Format Sent-in Description
User-Name RFC 2138 1 String Access-Request Specifies a user name for authentication.
Calling-Station-ID RFC 2865 31 String Access-Request Identifies the phone number for the supplicant requesting authentication.
EAP-Message RFC 3579 79 String Access-Request, Access-Challenge, Access-Accept, and Access Reject Encapsulates EAP packets.
Login-IP-Host RFC 2138 14 Address Access-Request and Access-Accept Specifies a host to log into after successful authentication.
Message-Authenticator RFC 3579 80 String Access-Request, Access-Challenge, Access-Accept, and Access Reject Contains a hash of the entire message that is used to authenticate the message.
NAS-Port-Type RFC 2865 61 Integer Access-Request Identifies the port type for the port through which authentication is requested.
Service-Type RFC 2138 6 String Access-Accept Specifies the granted service type in an Access-Accept message. See Attribute 6: Service Type below.
Session-Timeout RFC 2865 27 Integer Access-Accept, Access-Challenge Specifies how long the user session can last before authentication is required.
State RFC 2865 24 String Access-Challenge, Access-Request Site specific.
Termination-Action RFC 2865 29 Integer Access-Accept Specifies how the switch should respond to service termination.
Tunnel-Medium-Type RFC 2868 65 Integer Access-Accept Specifies the transport medium used when creating a tunnel for protocols (for example, VLANs) that can operate over multiple transports.
Tunnel-Private-Group-ID RFC 2868 81 Integer/String Access-Accept

Specifies the VLAN ID of the destination VLAN after successful authentication; used to derive the VLAN name.

Usually, the Integer VLAN ID (1-4094) is used. However, If the desired VLAN is statically configured and bound to a specific VLAN ID, the VLAN name string can be used for this attribute as well.

Tunnel-Type RFC 2868 64 Integer Access-Accept Specifies the tunneling protocol that is used.
User-Password RFC 2138 2 String Access-Request Specifies a password for authentication.

Attribute 6: Service Type

During authentication, ExtremeXOS, in conformance with RFC 2865, sends the following values for the following authentication methods:
  • Web-Auth—“Login"
  • MAC-Auth—“Call Check”
  • Dot1x—“Framed”
Extreme Networks switches have two levels of user privilege:
  • read-only
  • read-write

Because no command line interface (CLI) commands are available to modify the privilege level, access rights are determined when you log in. For a RADIUS server to identify the administrative privileges of a user, Extreme Networks switches expect a RADIUS server to transmit the Service-Type attribute in the Access-Accept packet, after successfully authenticating the user.

Extreme Networks switches grant a RADIUS-authenticated user read-write privilege if a Service-Type value of 6 is transmitted as part of the Access-Accept message from the RADIUS server. Other Service-Type values or no value, result in the switch granting read-only access to the user. Different implementations of RADIUS handle attribute transmission differently. You should consult the documentation for your specific implementation of RADIUS when you configure users for read-write access.