cancel
Showing results for 
Search instead for 
Did you mean: 

Trying to setup MFA via Tiny RADIUS in Okta for accessing our Extreme Switches via web/cli/ssh

Trying to setup MFA via Tiny RADIUS in Okta for accessing our Extreme Switches via web/cli/ssh

rcparker
New Contributor

We're successful in setting this up to the point we can authenticate via MFA on putty but we can't authenticate passed anything other than read only.  We've set the Vendor ID to 1916 (Extreme Networks) and have attempted multiple VSA's - Vendor Specific Attributes combined with multiple values with no avail.

Has anyone done this with Okta?  Does anyone know how to view the RADIUS dictionary on an Extreme switch without contact Extreme support? 

 

We've tried these VSA and Value combinations, any others we should try or different syntax that works with Okta and EXOS?

"ATTRIBUTE Extreme-Login-Service 100 integer" with "VALUE Extreme-Service-Type System-Administrator 8"

"ATTRIBUTE Extreme-Service-Type 1 integer" with "VALUE Extreme-Service-Type Super-User 32768"

"ATTRIBUTE Extreme-Shell-Command 202 string" with "VALUE Extreme-Login-Service SSH 32"

2 REPLIES 2

Kawawa
Extreme Employee

Have you tried using the The standard RADIUS attribute Service-Type with a value of Administrative?  The following documentation explains this: https://documentation.extremenetworks.com/switchengine_32.7.1/GUID-739FD162-2AE4-4E0E-878B-7DED2D5D0... 

The very last paragraph states:

"Extreme Networks switches grant a RADIUS-authenticated user read-write privilege if a Service-Type value of 6 is transmitted as part of the Access-Accept message from the RADIUS server. Other Service-Type values or no value, result in the switch granting read-only access to the user."

Correct, we've tried a multitude of combinations from Administrative, Admin, administrative, admin; pretty much every combo listed here and then some:

https://gitlab.com/wireshark/wireshark/-/blob/f5dc703259b398678effb11d9d55d0f017146053/radius/dictio...

GTM-P2G8KFN