EXOS – 802.1x

18th January 2016 by Martin Flammia

Filed under Extreme Networks EXOS

Last modified 18th January 2016

With port authentication (802.1x ) you start by configuring the IP address of the radius server and the client IP which is the source address. In the example below Netlogin Vlan is being used to put all unauthenticated users into.

Authenticated users are put into the Vlan that is returned by Radius via the various VSA’s. In the example below the following VSA will put the port into the ‘engineering’ Vlan.

Configuration example

Vender Specific Attributes (VSA) Table

VSAAttribute TypeFormatSent-inDescription
Extreme-CLI-Authorization201IntegerAccess-AcceptSpecifies whether command authorization is to be enabled or disabled for the user on the ExtremeXOS switch.
Extreme-Shell-Command202String
Extreme-Netlogin-VLAN-Name203StringAccess-AcceptName of destination VLAN after successful authentication (must already exist on switch).
Extreme-Netlogin-URL204Access-AcceptDestination web page after successful authentication.
Extreme-Netlogin-URL-Desc205Access-AcceptText description of network login URL attribute.
Extreme-Netlogin-Only206Indication of whether the user can authenticate using other means, such as telnet, console, SSH, or Vista. A value of “1” (enabled) indicates that the user can only authenticate via network login. A value of “0” (disabled) indicates that the user can also authenticate via other methods.
Extreme-User-Location208...
Extreme-Netlogin-VLAN-ID209Access-AcceptID of destination VLAN after successful authentication (must already exist on switch).
Extreme-Netlogin-Extended-VLAN211Access-AcceptName or ID of the destination VLAN after successful authentication (must already exist on switch). NOTE: When using this attribute, specify whether the port should be moved tagged or untagged to the VLAN. See the guidelines listed in the section “VSA 211: Extreme- Netlogin-Extended-Vlan” on page 883 for more information.
Extreme-Security-Profile212Access-AcceptSpecifies a universal port profile to execute on the switch. For more information, see Chapter 6, “Universal Port.”

VSA Examples

VSA 201

VSA 203

VSA 204

VSA 205

VSA 206

VSA 209

 

Leave a Comment