››

Configure RADIUS

Instruction for setting up CLI users for radius authentication can be found in Application Note: Configuring Policy via Radius Authentication

For 802.1x - If provisioning without Network Access Control (NAC), no provisioning beyond the options provided in the Panorama PON EMS GUI is required.

For 802.1x - If provisioning with NAC, provision the options provided in Panorama PON EMS and provision the FILTER-ID parameter in the RADIUS server.

See the following list of RADIUS server packages and links for detailed information on applying a FILTER-ID attribute for 802.1x, or VSA for Craft User Access, if using one of the listed RADIUS products:

Cisco Identity Services Engine (ISE) - Application Note: Interfacing with Cisco ISE
Microsoft Network Policy Server (NPS) - Application Note: Radius with Windows Policy Server
Juniper User Access Control (UAC) - http://www.juniper.net/us/en/products-services/security/uac/
Clearpass - Application Note: Interfacing with Aruba ClearPass
Forescout - Application Note: Interfacing with Forescout
Fortinac

FreeRADIUS - http://freeradius.org/doc/

Note: If not using one of the RADIUS products listed above, see the manufacturers documentation for information on applying a FILTER-ID attribute, for 802.1x, or VSA for Craft User Access.

802.1x FILTER-ID Attribute

Use the following syntax for the 802.1x FILTER-ID attribute when provisioning 802.1x with NAC:

Note: See the documentation provided by the manufacturer of the specific RADIUS product installed for information on applying the 802.1x FILTER-ID attribute

Enter CLI output hereTLAB:PROFILE-SVC=<service profile name>[;PROFILE-SVC=<a secondary
profile>][;IFALIAS=<port-user-label>]

or as separate attributes:

TLAB:PROFILE-SVC=<service profile name>
TLAB:PROFILE-SVC=<a secondary service profile name> 
TLAB:IFALIAS=<port-user-label>

Vendor Specific Attribute (VSA)

The following table lists the supported Tellabs vendor-specific attributes to be used when provisioning RADIUS to enable secure communications between Tellabs devices and external devices.

Field	Description
Number	All attributes are extensions of the IETF attribute 26.
Vendor Specific Command Code	A defined code used to identify a particular vendor. Code 1397 defines Tellabs VSAs.
Sub-Type Number	The attribute ID number. This number is much like the ID numbers of IETF attributes, except it is a "second layer" ID number encapsulated behind attribute 26. The Tellabs Sub-Type Number is 11.

Note: In the following example, see the documentation provided by the manufacturer of the specific RADIUS product installed for information on applying VSA for Craft User Access.

The following is an example of how the VSA attributes are provisioned in a Free RADIUS implementation:

Setting up VSA on freeradius running on LINUX
========================================
/usr/local/share/freeradius/dictionary.tellabs
VENDOR             Tellabs                1397
BEGIN-VENDOR       Tellabs
ATTRIBUTE          11XXUserRoles    11    string
END-VENDOR         Tellabs

To assign passwords and user roles:

Assigning password and user roles
===========================
/usr/local/etc/raddb/users
testadmin Cleartext-Password := "testadmin" 
11XXUserRoles = "Admin"
secadmin Cleartext-Password := "secadmin"
11XXUserRoles = "SecurityAdmin"

The RADIUS server can also be configured to use a Lightweight Directory Access Protocol (LDAP) user database.

Previous | Next

FEEDBACK: Are you happy with this material?

Thank you Your feedback helps us to continually improve our content.

On this page

802.1x FILTER-ID Attribute
- Vendor Specific Attribute (VSA)