topic Re: Delete and Add RADIUS-Cisco attributes in ExtremeCloud IQ- Site Engine Management Center

Delete and Add RADIUS-Cisco attributes

Anonymous — Thu, 28 Nov 2019 00:45:18 GMT

Hi,

I’ve been tasked with replacing another vendors NAC solution with an Extreme one, like for like.

One of the configuration elements is to inject, deleting and adding the following outbound attributes:

The configuration section to do this is shown below:

So the two problems I have is:

I don’t see a canned attribute for Cisco Airespace?
Can see how to substitute, but how do you delete?

Sure in the past I’ve created my own attributes, but it has been a while. Still leaves the question about deleting attributes?

Appreciate any advise in advance.

Re: Delete and Add RADIUS-Cisco attributes

Ryan_Yacobucci — Thu, 28 Nov 2019 04:22:40 GMT

Hey Martin,

Check this article out:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-NAC-for-custom-radius-attributes

It looks like we have those defined specifically for the “Airespace” vendor.

root@NAC2.nacabucci.com:/opt/nac/radius/share/freeradius$ cat dictionary.airespace
# -*- text -*-
# Copyright (C) 2015 The FreeRADIUS Server project and contributors
#
# As found on the net.
#
# $Id: 5d952f9bb26324e61f139aef9ae9e552ed36dcb9 $
#
VENDOR Airespace 14179

BEGIN-VENDOR Airespace
ATTRIBUTE Airespace-Wlan-Id 1 integer
ATTRIBUTE Airespace-QOS-Level 2 integer
ATTRIBUTE Airespace-DSCP 3 integer
ATTRIBUTE Airespace-8021p-Tag 4 integer
ATTRIBUTE Airespace-Interface-Name 5 string
ATTRIBUTE Airespace-ACL-Name 6 string

VALUE Airespace-QOS-Level Bronze 3
VALUE Airespace-QOS-Level Silver 0
VALUE Airespace-QOS-Level Gold 1
VALUE Airespace-QOS-Level Platinum 2

END-VENDOR Airespace

I suspect they are the same.

Can you give an example for the delete portion? If NAC is acting as the terminating RADIUS server we won’t need to delete any attribute, we just won’t add it.

If you’re in a proxy RADIUS environment the default action on a profile is to “Replace RADIUS attributes”. So if an AVP is defined in NAC it will replace any of the same attribute returned from the proxy RADIUS server.

If you want to completed delete an AVP and not replace it with anything, that is a situation we’ll have to talk further about as NAC can only delete attributes that it will replace.

As far as injecting an attribute NAC can inject RADIUS attributes to be proxied to other servers.

Thanks

-Ryan

Re: Delete and Add RADIUS-Cisco attributes

Anonymous — Thu, 28 Nov 2019 05:49:07 GMT

Hi Ryan,

Thanks for posting back so quickly.

Also for the information, that’s great they are there as makes it a little easier. That article looks familiar now, thanks.

As for the attributes I believe they need to be deleted, that’s how they are configured in the current system so would need to replicate,

It is using proxy RADIUS, so my assumption is either they are being omitted because the information is wished not to be shared, or the other end doesn’t like them… the former being my guess?

The configuration uses a common SSID for multiple different forms of authentication processing, local and proxy, so are probably being used in some form for something else.

So deleting sounds like a possibility but perhaps not a simple one?

Cheers,

Martin

Re: Delete and Add RADIUS-Cisco attributes

Anonymous — Tue, 02 Mar 2021 18:23:19 GMT

Hi Ryan,

Have an additional question on this topic.

The deletion and insertion (or replace, depending how you look at it) of attributes is required when proxying the request, which is defined here:

The section in part, mentioned above I believe is the other direct, when ExtremeControl intercepts and relays the authentication request back to the originating RADIUS server, which is configured here:

So the question is the latter would replace the AVP attributes with whatever I have configured, but what I actually need is to either only send specified attributes to the proxied server or remove / delete what's being sent via the originating RADIUS server.

The configuration is:

Which implies it is only injecting (appending), rather then replacing?

Don’t suppose you know either way, primarily I need to do then following when forwarding to Proxied RADIUS server:

•   Attrib: Airspace-802.1p-TAG
•   Attrib: Airspace-Interface-Name
•   Attrib: Airespace-WLAN-Id
•   Atrrib: cisco-av-pair

Add the following attributes

• Attrib: Airspave-Interface-Name
• Attrib New Value: viaem

Thanks