Extreme Networks

Mikhail · ‎04-25-2014

There is Avaya 8300 switch and NAC.
I need to management login to switch CLI via NAC RADIUS. In documentation to Avaya 8300 switch I read, that there is Avaya VSA - "Access-Priority" wich need to be sent by RADIUS accept message from RADIUS Server to have mgmt access to Avaya switch. But I can't access to switch!
I've done TCP Dump and saw, that there is no access-priority attribute in RADIUS accept packet. Standart attributes (ex. Service-Type or Tunnel-Group-Id and others) RADIUS Server are sent. I think, that there is because NAC RADIUS Server do not know Avaya VSAs.
So, can I do something to resolve this problem? I don't want to go deep into NAC's file system to find FreeRADIUS attributes file and write this attribute myself. Maybe there is some tool to do it from GUI or some other way to do it without risk of broke NAC System?

Thanks.

Markus5 · ‎04-25-2014

Hi Mikhail,

For Avaya branded firmware versions you don't need to worry about Avaya VSAs. For Nortel branded firmware versions it's/was more "complicated", different to configure.

In your case, just add the following line to the RADIUS Return Attributes for your Avaya
switch(es) in NAC Manager -> Switches Tab -> Edit Switch -> RADIUS Return Attributes, select
the one you are currently using:

Service-Type=%Custom1% (or %Custom2%...%Custom5%)

In the NAC Profile which is used/applied for CLI access, just use the following values in
the Custom1 to Custom5 fields, whichever you used in the above defined RADIUS Return Attribute:

A value of "6" gives you admin/RW privileges in the CLI (telnet/SSH).
A value of "7" gives you read-only privileges.

That's it basically and has worked so far for any Avaya switches.

Hope this helps.

Kind regards,

Markus

Extreme Networks

Management Access to Avaya 8300/8600 Switch via NAC RADIUS Server.

Management Access to Avaya 8300/8600 Switch via NAC RADIUS Server.