Microsoft NPS server VSA configuration for Extreme-CLIAuthorization
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-13-2015 01:01 AM
I'm trying to configure management access to our new extreme 8810s via a microsoft NPS server (running on 2012 R2, but the NPS portion hasn't changed since 2008).
I've defined a policy tied to a windows group and the authentication works, but my user had RO access only.
To fix this I've defined a VSA with Vendor Code 1916, set the attribute to "Yes It Conforms", Vendor-Assigned Attribute number is 201, Attribute format is Decimal, Attribute value is set to 1.
This should allow my switch adminstrator login to have RW access to the switch, but I'm still getting RO access only.
Here is a screencap of my settings: http://imgur.com/VCswKOg
Does anyone have additional documentation or experience getting this VSA to work with the microsoft NPS? So far research hasn't turned up any working examples.
I've defined a policy tied to a windows group and the authentication works, but my user had RO access only.
To fix this I've defined a VSA with Vendor Code 1916, set the attribute to "Yes It Conforms", Vendor-Assigned Attribute number is 201, Attribute format is Decimal, Attribute value is set to 1.
This should allow my switch adminstrator login to have RW access to the switch, but I'm still getting RO access only.
Here is a screencap of my settings: http://imgur.com/VCswKOg
Does anyone have additional documentation or experience getting this VSA to work with the microsoft NPS? So far research hasn't turned up any working examples.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-22-2015 06:20 PM
If you don't use any RADIUS proxy, than pap is sufficient for management login. Your credentials are secured by the RADIUS shared secret. So, there is no need for challenge handshake protocols.
Kind regrards
Christoph
Kind regrards
Christoph
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-22-2015 06:20 PM
Hi Christoph,
Thanks for your information.
Thanks for your information.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-21-2015 01:46 PM
Hi sir,
What Authentication Method support ?
NPS -> don't work in mschapv2 /mschap / chap,only work in pap.
Extreme Switch mgmt-access only support pap ?
Thanks
What Authentication Method support ?
NPS -> don't work in mschapv2 /mschap / chap,only work in pap.
Extreme Switch mgmt-access only support pap ?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎02-13-2015 04:33 AM
Thank you my friend, that fixed the issue, just adding that field under standard worked.
I've been pulling my hair out over this  Ran a wireshark trace, found that everything was being sent to the switch etc.
Hopefully Extreme can update their documentation, its a little scant for Radius. Can't wait to start working on 802.1x next week 
I've been pulling my hair out over this  Ran a wireshark trace, found that everything was being sent to the switch etc.
Hopefully Extreme can update their documentation, its a little scant for Radius. Can't wait to start working on 802.1x next week 
