Company-specific attributes on the RADIUS server

Note: For all RUCKUS devices, RADIUS Challenge is supported for 802.1x authentication but not for login authentication.

During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server sends an Access-Accept packet to the RUCKUS device, authenticating the user. Within the Access-Accept packet are three required RUCKUS vendor-specific attributes that indicate the following:

  • The privilege level of the user
  • A list of commands
  • Whether the user is allowed or denied usage of the commands in the list

You must add at least these three RUCKUS vendor-specific attributes to your RADIUS server configuration, and configure the attributes in the individual or group profiles of the users that will access the RUCKUS device.

RUCKUS Vendor-ID is 1991, with Vendor-Type 1.

The following table describes the all of the available RUCKUS vendor-specific attributes.

Table 1. RUCKUS vendor-specific attributes for RADIUS

Attribute name

Attribute ID

Data type

Description

foundry-privilege-level

1

integer

Specifies the privilege level for the user. This attribute can be set to one of the following:

  • 0 - Super User level - Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
  • 4 - Port Configuration level - Allows read-and-write access for specific ports but not for global (system-wide) parameters.
  • 5 - Read Only level - Allows access to the Privileged EXEC mode and User EXEC mode of the CLI but only with read access.

foundry-command-string

2

string

Specifies a list of CLI commands that are permitted or denied to the user when RADIUS authorization is configured.

The commands are delimited by semi-colons (;). You can specify an asterisk (*) as a wildcard at the end of a command string.

For example, the following command list specifies all show and debug ip commands, as well as the write terminal command:

show *; debug ip *; write term*

foundry-command-exception-flag

3

integer

Specifies whether the commands indicated by the foundry-command-string attribute are permitted or denied to the user. This attribute can be set to one of the following:

  • 0 - Permit execution of the commands indicated by foundry-command-string, deny all other commands.
  • 1 - Deny execution of the commands indicated by foundry-command-string, permit all other commands.

foundry-access-list

5

string

Specifies the access control list to be used for RADIUS authorization. Enter the access control list in the following format.

type=string, value="ipacl.[e|s].[in|out] = [ acl-name | acl-number ] separator macfilter.in = [ acl-name | acl-number ]

Where:

  • separator can be a space, newline, semicolon, comma, or null characater
  • ipacl.e is an extended ACL; ipacl.s is a standard ACL.

foundry-MAC-authent-needs-802x

6

integer

Specifies whether or not 802.1x authentication is required and enabled.

0 - Disabled

1 - Enabled

foundry-802.1x-valid-lookup

7

integer

Specifies if 802.1x lookup is enabled:

0 - Disabled

1 - Enabled

foundry-MAC-based-VLAN-QOS

8

integer

Specifies the priority for MAC-based VLAN QOS:

0 - qos_priority_0

1 - qos_priority_1

2 - qos_priority_2

3 - qos_priority_3

4 - qos_priority_4

5 - qos_priority_5

6 - qos_priority_6

7 - qos_priority_7

foundry-coa-command

10

string

Specifies to perform CoA command dynamically on the port or host after the device or user is authenticated.

disable-port - Disables the specified port.

reauth-host - Re-authenticate the host specified by MAC address.

flip-port - Brings the port up and down with some delay between the toggle.

modify-acl - Replace the specified ACL with the session's existing ACL. Modify-ACL is supported with the Filter-Id (11) attribute. The IP ACL specified through the Filter-Id attribute replaces the session's existing ACL configuration.