Sending Avaya-Fabric-Attach-VLAN-ISID and Avaya-Fabric-Attach-VLAN-PVID after successful authentication

Jan Hugo Prins jhp at jhprins.org
Tue Oct 15 14:29:53 CEST 2019 

Hello,

I have a cluster of freeradius servers running with an LDAP backend
which all works fine. I'm also able to return the correct VLAN
information after a successful authentication of a client. That way I
can put clients in the correct VLAN based on the authentication /
authorization matrix etc. Very nice.

In my core network I have Avaya / Extreme VSP 7000 switches in SPBM mode
and I would like to configure a port on those switches after successful
authentication, but they don't want VLAN information, but they want
something else:

VSAs
• Avaya-Fabric-Attach-VLAN-ISID
• Avaya-Auto-VLAN-Create
• Avaya-Fabric-Attach-VLAN-PVID

Documentation about this states the following:

Avaya-Fabric-Attach-VLAN-ISID
 - This VSA consists of a (VLAN, I-SID) pair. Multiple (VLAN, I-SID)
pairs are processed only in MHSA mode.

Avaya-Auto-VLAN-Create
 - If this VSA is set to TRUE, the VLANs received in all (VLAN, I-SID)
pairs will be automatically created if they do not exist. This VSA is
processed only in MHSA and MHMV modes.

Avaya-Fabric-Attach-VLAN-PVID
 - This VSA contains the value of the PVID that should be set on the
port with the authenticated client. The Avaya-Fabric-Attach-VLAN-PVID
VSA is processed only in MHSA mode.

The switch send the following in an access request packet:

VSAs sent from switch to RADIUS server:

• Avaya-Fabric-Attach-Mode
This VSA can have the following values:
- 0 or not sent, when Switch is assumed to have no concept of SPB/AutoProv
- 1, when the switch is an FA Server in VLAN provision mode
- 2, when the switch is an FA Server in SPBM mode
- 3, when the switch is an FA Proxy with the connected FA Server in VLAN
provision mode
- 4, when the switch is an FA Proxy with the connected FA Server in SPBM
mode
- 5 , when the switch is a FA Standalone Proxy

• Avaya-Fabric-Attach-Client-Type
This VSA can have the following values:
- 1, FA Element Type Other
- 2, FA Server
- 3, FA Proxy
- 4, FA Server No Authentication
- 5, FA Proxy No Authentication
- 6, FA Client – Wireless AP Type 1 [clients direct network attachment]
- 7, FA Client – Wireless Ap Type 2 [clients tunneled to controller]

• Avaya-Fabric-Attach-Client-Id
This VSA contains the MAC address of the FA client, exported via FA
Signaling.

Does FreeRadius currently support this anywhere in a version?
Is there a way to get this working by correctly filling the dictionary file?

The man page for the dictionary file states that the VSA's configured
there will never be send in a radius packet, which makes me suspect that
this won't work?

Documentation on this can be found in
https://downloads.avaya.com/css/P8/documents/101026369

Thank you very much.
Jan Hugo Prins

More information about the Freeradius-Users mailing list