Configuring ICX Vendor Specific Attributes on the RADIUS server

If the RADIUS authentication is successful, the RADIUS server sends an Access-Accept message to the ICX device, authenticating the client. The Access-Accept message can include attributes that specify additional information about the client. If MAC authentication and 802.1X authentication are configured on the same port, attributes listed in the following tables can be configured on the RADIUS server.

Attributes should be added to the RADIUS server configuration and configured in the individual or group profiles of the devices tobe authenticated. The ICX device supports two Vendor-IDs: 1991 (Foundry) and 25053 (Ruckus). The Foundry Vendor ID is supported for backward compatibility. For more information, refer to Configuring RADIUS. The following tables list the attributes for Foundry and Ruckus VSAs.

These attributes are optional.

Table 1. Foundry VSAs for RADIUS
Attribute name Attribute ID Data type Description
Foundry-802_1x-enable 6 integer

Specifies whether 802.1X authentication is performed when MAC authentication is successful for a device.

This attribute can be set to one of the following:

0 - Do not perform 802.1X authentication on a device that passes MAC authentication.

1 - Perform 802.1X authentication when a device passes MAC authentication.

Foundry-802_1x-valid 7 integer

Specifies whether the RADIUS record is valid only for MAC authentication, or for both MAC authentication and 802.1X authentication.

This attribute can be set to one of the following:

0 - The RADIUS record is valid only for MAC authentication. Set this attribute to 0 to prevent a user from using their MAC address as the username and password for 802.1X authentication.

1 - The RADIUS record is valid for both MAC and 802.1X authentication.

Foundry-COA-Command-List 10 string

Specifies the CoA command to be performed. This attribute can be set to one of the following:

Reauth-host - reauthenticate the host

Disable-port – disable the port

Flip-port – flip or reset the port.

Foundry-Voice-Phone-Config 11 string

Identifies the client as a voice phone device and optionally specifies the voice phone device configuration. When the device is a phone, LLDP/CDP is configured to voice VLAN to phone, so phone uses a voice session. LLDP supports additional options, such as differentiated services code point (DSCP) and priority, to configure MED policy. The following options can be specified through this VSA:

“ “ –DSCP: 46, priority 5 (default)

“dscp:40; priority:4” - DSCP: 40, priority: 4

“dscp:30” - DSCP: 30, priority: 5

“priority:7” - DSCP: 46, priority: 7.

Table 2. Ruckus VSAs for RADIUS
Attribute name Attribute ID Data type Description
Ruckus FlexAuth AVP 20 string

The generic name of the attribute is value pair attribute, which can specify the following attributes (similar to the Foundry VSAs):

dot1x-enable (same as Foundry-802.1x-enable)

dot1x-valid (same as Foundry-802.1x-valid)

coa-attr (same as Foundry-CoA-Command-List)

voice-phone (same as Foundry-Voice-Phone-Config).