Microsoft NPS server VSA configuration for Extreme-CLIAuthorization


Userlevel 2
I'm trying to configure management access to our new extreme 8810s via a microsoft NPS server (running on 2012 R2, but the NPS portion hasn't changed since 2008).

I've defined a policy tied to a windows group and the authentication works, but my user had RO access only.

To fix this I've defined a VSA with Vendor Code 1916, set the attribute to "Yes It Conforms", Vendor-Assigned Attribute number is 201, Attribute format is Decimal, Attribute value is set to 1.

This should allow my switch adminstrator login to have RW access to the switch, but I'm still getting RO access only.

Here is a screencap of my settings: http://imgur.com/VCswKOg

Does anyone have additional documentation or experience getting this VSA to work with the microsoft NPS? So far research hasn't turned up any working examples.

6 replies

Userlevel 7
I've tried that 2 weeks ago successful in my lab so below my notes with screenshots.

Looks like our screenshots look identical so I think the only thing is missing on your site is to set the Service-Type to Administrative.
I run into the same issue and took me a while to find the error.

http://1drv.ms/17qObes
Userlevel 7
Ron wrote:

I've tried that 2 weeks ago successful in my lab so below my notes with screenshots.

Looks like our screenshots look identical so I think the only thing is missing on your site is to set the Service-Type to Administrative.
I run into the same issue and took me a while to find the error.

http://1drv.ms/17qObes

link update....

https://1drv.ms/b/s!AsN2m43dxCYKhCkIlw6h7m57hHDp
Userlevel 2
Thank you my friend, that fixed the issue, just adding that field under standard worked.

I've been pulling my hair out over this 😛 Ran a wireshark trace, found that everything was being sent to the switch etc.

Hopefully Extreme can update their documentation, its a little scant for Radius. Can't wait to start working on 802.1x next week 😛
Hi sir,

What Authentication Method support ?
NPS -> don't work in mschapv2 /mschap / chap,only work in pap.
Extreme Switch mgmt-access only support pap ?

Thanks
Userlevel 3
If you don't use any RADIUS proxy, than pap is sufficient for management login. Your credentials are secured by the RADIUS shared secret. So, there is no need for challenge handshake protocols.

Kind regrards
Christoph
Christoph wrote:

If you don't use any RADIUS proxy, than pap is sufficient for management login. Your credentials are secured by the RADIUS shared secret. So, there is no need for challenge handshake protocols.

Kind regrards
Christoph

Hi Christoph,

Thanks for your information.

Reply