Ruckus-specific attributes on the RADIUS server
During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server sends an Access-Accept packet to the Ruckus device, authenticating the user. Within the Access-Accept packet are three required Ruckus vendor-specific attributes that indicate the following:
- The privilege level of the user
- A list of commands
- Whether the user is allowed or denied usage of the commands in the list
You must add at least these three Ruckus vendor-specific attributes to your RADIUS server configuration, and configure the attributes in the individual or group profiles of the users that will access the Ruckus device.
Ruckus Vendor-ID is 1991, with Vendor-Type 1.
The following table describes the all of the available Ruckus vendor-specific attributes.
Attribute name |
Attribute ID |
Data type |
Description |
---|---|---|---|
foundry-privilege-level |
1 |
integer |
Specifies the privilege level for the user. This attribute can be set to one of the following:
|
foundry-command-string |
2 |
string |
Specifies a list of CLI commands that are permitted or denied to the user when RADIUS authorization is configured. The commands are delimited by semi-colons (;). You can specify an asterisk (*) as a wildcard at the end of a command string. For example, the following command list specifies all show and debug ip commands, as well as the write terminal command: show *; debug ip *; write term* |
foundry-command-exception-flag |
3 |
integer |
Specifies whether the commands indicated by the foundry-command-string attribute are permitted or denied to the user. This attribute can be set to one of the following:
|
foundry-access-list |
5 |
string |
Specifies the access control list to be used for RADIUS authorization. Enter the access control list in the following format. type=string, value="ipacl.[e|s].[in|out] = [ acl-name | acl-number ] separator macfilter.in = [ acl-name | acl-number ]
Where:
|
foundry-MAC-authent-needs-802x |
6 |
integer |
Specifies whether or not 802.1x authentication is required and enabled. 0 - Disabled 1 - Enabled |
foundry-802.1x-valid-lookup |
7 |
integer |
Specifies if 802.1x lookup is enabled: 0 - Disabled 1 - Enabled |
foundry-MAC-based-VLAN-QOS |
8 |
integer |
Specifies the priority for MAC-based VLAN QOS: 0 - qos_priority_0 1 - qos_priority_1 2 - qos_priority_2 3 - qos_priority_3 4 - qos_priority_4 5 - qos_priority_5 6 - qos_priority_6 7 - qos_priority_7 |
foundry-coa-command |
10 |
string |
Specifies to perform CoA command dynamically on the port or host after the device or user is authenticated. disable-port - Disables the specified port. reauth-host - Re-authenticate the host specified by MAC address. flip-port - Brings the port up and down with some delay between the toggle. modify-acl - Replace the specified ACL with the session's existing ACL. Modify-ACL is supported with the Filter-Id (11) attribute. The IP ACL specified through the Filter-Id attribute replaces the session's existing ACL configuration. |