Support for the RADIUS user-name attribute in Access-Accept messages

ICX devices support the RADIUS user-name (type 1) attribute in the Access-Accept message returned during authentication.

In 802.1X authentication, the user-name attribute is useful when the client does not provide a username in the EAP-response/identity frame and the username is key to providing useful information.

In MAC authentication, the user-name attribute is useful to bind the user-name with the client MAC address, as the client never provides it, and the username is key to providing useful information.

When sFlow forwarding is enabled on a Flexible authentication-enabled interface, the samples taken from the interface include the username string at the inbound or outbound port, or both, if that information is available. For more information on sFlow, refer to the Ruckus FastIron Monitoring Configuration Guide.

For example, when the user-name attribute is sent in the Access-Accept message, it is then available for display in sFlow sample messages sent to a collector and in the output of some show auth commands, such as show auth sessions and show auth session detail.

This same information is included as the user-name attribute of RADIUS accounting messages sent to RADIUS accounting servers.

To enable the user-name attribute, add the following information on the RADIUS server.

Table 1. RADIUS user-name attribute details

Attribute name

Type

Value

user-name

1

name (string)