This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Delete and Add RADIUS-Cisco attributes

Delete and Add RADIUS-Cisco attributes

Anonymous
Not applicable

‎11-27-2019 04:45 PM

Hi,

I’ve been tasked with replacing another vendors NAC solution with an Extreme one, like for like.

One of the configuration elements is to inject, deleting and adding the following outbound attributes:

 

RADIUS Dictionary | Attribute | Type | Operation | New Value
RADIUS-Cisco Airespace | Airespace-802.1p-Tag | Unsigned Interget 32 | DELETE
RADIUS-Cisco Airespace | Airespace-Interfance-Name | String | DELETE
RADIUS-Cisco Airespace | Airespance-Wlan-Id | Unsigned Interget 32 | DELETE
RADIUS-Cisco | cisco-av-pair | String | DELETE
RADIUS-Cisco Airespace | Airespace-Interace-Name | String | ADD | SomeWord

 

The configuration section to do this is shown below:

 

eaab7b77a21f402197d5e120678ccff0_ae66158e-d337-409a-b300-b75a3fe03d92.png

 

eaab7b77a21f402197d5e120678ccff0_5b5e3a3e-0b4e-4ef5-b5a5-78c55743333f.png

 

So the two problems I have is:

  • I don’t see a canned attribute for Cisco Airespace?
  • Can see how to substitute, but how do you delete?

 

Sure in the past I’ve created my own attributes, but it has been a while. Still leaves the question about deleting attributes?

 

Appreciate any advise in advance.

 

0 Kudos
3 REPLIES 3

Anonymous
Not applicable

‎03-02-2021 10:23 AM

Hi Ryan,

Have an additional question on this topic. 

The deletion and insertion (or replace, depending how you look at it) of attributes is required when proxying the request, which is defined here:

76865ad4ae384feb96cb283ae0075918_371b03a9-db86-4b2e-a1f1-2aceefb6d788.png

 

The section in part, mentioned above I believe is the other direct, when ExtremeControl intercepts and relays the authentication request back to the originating RADIUS server, which is configured here:

 

76865ad4ae384feb96cb283ae0075918_339bcd91-4e8d-407a-b846-b4edde0ca763.png

So the question is the latter would replace the AVP attributes with whatever I have configured, but what I actually need is to either only send specified attributes to the proxied server or remove / delete what's being sent via the originating RADIUS server.

The configuration is:

76865ad4ae384feb96cb283ae0075918_8dcd638b-8339-4de6-b27d-3c3b6ac40c9c.png

 

Which implies it is only injecting (appending), rather then replacing?

Don’t suppose you know either way, primarily I need to do then following when forwarding to Proxied RADIUS server:


•    Attrib: Airspace-802.1p-TAG
•    Attrib: Airspace-Interface-Name
•    Attrib: Airespace-WLAN-Id
•    Atrrib: cisco-av-pair

Add the following attributes

•    Attrib: Airspave-Interface-Name
•    Attrib New Value: viaem
 

Thanks

 

0 Kudos

Anonymous
Not applicable

‎11-27-2019 09:49 PM

Hi Ryan,

Thanks for posting back so quickly.

Also for the information, that’s great they are there as makes it a little easier. That article looks familiar now, thanks.

As for the attributes I believe they need to be deleted, that’s how they are configured in the current system so would need to replicate,

It is using proxy RADIUS, so my assumption is either they are being omitted because the information is wished not to be shared, or the other end doesn’t like them… the former being my guess?

The configuration uses a common SSID for multiple different forms of authentication processing, local and proxy, so are probably being used in some form for something else.

So deleting sounds like a possibility but perhaps not a simple one?

Cheers,

Martin

0 Kudos

Ryan_Yacobucci
Extreme Employee

‎11-27-2019 08:22 PM

Hey Martin,

 

Check this article out:

 

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-NAC-for-custom-radius-att...

It looks like we have those defined specifically for the “Airespace” vendor.

 

root@NAC2.nacabucci.com:/opt/nac/radius/share/freeradius$ cat dictionary.airespace
# -*- text -*-
# Copyright (C) 2015 The FreeRADIUS Server project and contributors
#
#       As found on the net.
#
#       $Id: 5d952f9bb26324e61f139aef9ae9e552ed36dcb9 $
#
VENDOR          Airespace                       14179

BEGIN-VENDOR    Airespace
ATTRIBUTE       Airespace-Wlan-Id                       1       integer
ATTRIBUTE       Airespace-QOS-Level                     2       integer
ATTRIBUTE       Airespace-DSCP                          3       integer
ATTRIBUTE       Airespace-8021p-Tag                     4       integer
ATTRIBUTE       Airespace-Interface-Name                5       string
ATTRIBUTE       Airespace-ACL-Name                      6       string

VALUE   Airespace-QOS-Level             Bronze                  3
VALUE   Airespace-QOS-Level             Silver                  0
VALUE   Airespace-QOS-Level             Gold                    1
VALUE   Airespace-QOS-Level             Platinum                2

END-VENDOR Airespace
 

I suspect they are the same. 

 

Can you give an example for the delete portion? If NAC is acting as the terminating RADIUS server we won’t need to delete any attribute, we just won’t add it.

 

If you’re in a proxy RADIUS environment the default action on a profile is to “Replace RADIUS attributes”. So if an AVP is defined in NAC it will replace any of the same attribute returned from the proxy RADIUS server.

 

If you want to completed delete an AVP and not replace it with anything, that is a situation we’ll have to talk further about as NAC can only delete attributes that it will replace.

 

 

As far as injecting an attribute NAC can inject RADIUS attributes to be proxied to other servers. 

 

Thanks

-Ryan 

 

 

0 Kudos
GTM-P2G8KFN