ºÚÁϺ£½Ç91Èë¿Ú

Configure RADIUS Reply Attributes for User Groups in the API

Get the strength and security of RADIUS without building, maintaining, or monitoring physical servers. It’s quick to roll out managed RADIUS to your organization to authenticate users to Wi-Fi, VPNs, switches, and network devices securely. Read this article to learn how to use functions in the ºÚÁϺ£½Ç91Èë¿Ú PowerShell Module to configure RADIUS Reply Attributes like VLAN tagging for user groups. 

To configure RADIUS Reply Attributes for User Groups, read Configure Radius Reply Attributes for User Groups.

Prerequisites:

Definition of terms:

  • RADIUS Reply Attributes: Values used to define specific authentication and authorization elements on user profiles. 
  • VLAN Tagging: A type of RADIUS reply attribute that can be used to manage user authentication and authorization to a virtual network. 

About RADIUS Reply Attributes

  • Use the PowerShell Module to configure RADIUS reply attributes on user groups. Reply attributes can be applied across multiple users and RADIUS servers by adding users to user groups, then connecting user groups to RADIUS servers. 
  • RADIUS reply attributes are returned in the Access-Accept messages sent to endpoints that authenticate with ºÚÁϺ£½Ç91Èë¿Ú RADIUS. 
  • When a user is part of many user groups that are each configured with RADIUS reply attributes, each group the user is a member of are returned in the Access-Accept message. 
  • Having multiple reply attributes with the same name but different values doesn’t cause a conflict. If there are reply attributes with conflicting values, the most recently created user group and its attributes take precedence. 

Using the PowerShell Module to Configure RADIUS Reply Attributes 

Four functions in the ºÚÁϺ£½Ç91Èë¿Ú PowerShell module allow admins to add, update, remove, and report on user groups and their RADIUS reply attributes. 

Adding Radius Reply Attributes to a user group

Example 1

Add-JCRadiusReplyAttribute -GroupName "BoulderOffice" -VLAN 24

By specifying the '-VLAN' parameter, three RADIUS attributes are added to the ºÚÁϺ£½Ç91Èë¿Ú user group 'BoulderOffice'.

"radius": {
      "reply": [
        {
          "name": "Tunnel-Type",
          "value": "VLAN"
        },
        {
          "name": "Tunnel-Private-Group-ID",
          "value": "24"
        },
        {
          "name": "Tunnel-Medium-Type",
          "value": "IEEE-802"
        }
      ]
    }

The value specified for the '-VLAN' parameter is populated for the value of Tunnel-Private-Group-ID.

Example 2

Add-JCRadiusReplyAttribute -GroupName "BoulderOffice" -VLAN 24 -VLANTag 3

By specifying the '-VLAN' parameter, three RADIUS attributes are added to the ºÚÁϺ£½Ç91Èë¿Ú user group 'BoulderOffice'. The use of '-VLANTag' appends each VLAN attribute with a colon and the tag number specified. These attributes are:

"radius": {
      "reply": [
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Tunnel-Type:3",
          "value": "VLAN"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨,
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Tunnel-Private-Group-ID:3",
          "value": "24"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨,
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Tunnel-Medium-Type:3",
          "value": "IEEE-802"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨
ÌýÌýÌýÌýÌýÌý±Õ
ÌýÌýÌýÌý°¨

The value specified for the '-VLAN' parameter is populated for the value of Tunnel-Private-Group-ID.

Tags must be an integer between 1-31, to comply with , which states that the tag field must be a single octet in length.

Example 3

Add-JCRadiusReplyAttribute -GroupName "BoulderOffice" -NumberOfAttributes 2 -Attribute1_name "Session-Timeout" -Attribute1_value 100 -Attribute2_name "Termination-Action" -Attribute2_value 1

Adds two RADIUS attributes to the ºÚÁϺ£½Ç91Èë¿Ú user group 'BoulderOffice'.

These attributes are:

"radius": {
      "reply": [
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Session-Timeout",
          "value": "100"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨,
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Termination-Action",
          "value": "1"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨
ÌýÌýÌýÌýÌýÌý±Õ
ÌýÌýÌýÌý°¨

The parameter '-NumberOfAttributes' is a dynamic parameter that generates two required parameters for each attribute specified. In this example, these parameters are -Attribute1_name,-Attribute1_value, -Attribute2_name and -Attribute2_value.

Attributes must be valid RADIUS attributes.. If an invalid attribute is configured on a user group, users in the group are prevented from authenticating via RADIUS until the invalid attribute is removed. 

Example 4

Add-JCRadiusReplyAttribute -GroupName "BoulderOffice" -NumberOfAttributes 2 -Attribute1_name "Session-Timeout:3" -Attribute1_value 100 -Attribute2_name "Termination-Action:3" -Attribute2_value 1

Adds two RADIUS attributes to the ºÚÁϺ£½Ç91Èë¿Ú user group 'BoulderOffice' and demonstrates how to configure RADIUS tags using a colon and tag number.

These attributes are:

"radius": {
      "reply": [
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Session-Timeout:3",
          "value": "100"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨,
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Termination-Action:3",
          "value": "1"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨
ÌýÌýÌýÌýÌýÌý±Õ
ÌýÌýÌýÌý°¨

The parameter '-NumberOfAttributes' is a dynamic parameter that generates two required parameters for each attribute specified. In this example, these parameters are -Attribute1_name,-Attribute1_value, -Attribute2_name and -Attribute2_value.

Attributes must be valid RADIUS attributes.. If an invalid attribute is configured on a user group, users in the group are prevented from authenticating. 

Querying RADIUS Reply Attributes on a ºÚÁϺ£½Ç91Èë¿Ú user group

Example

Get-JCRadiusReplyAttribute -GroupName "BoulderOffice"

Returns the RADIUS reply attributes associated with the ºÚÁϺ£½Ç91Èë¿Ú user group 'BoulderOffice'.

Updating RADIUS Reply Attributes on a user group

Example 1

Set-JCRadiusReplyAttribute -GroupName "BoulderOffice" -VLAN 34

By specifying the '-VLAN' parameter three RADIUS attributes are updated on the ºÚÁϺ£½Ç91Èë¿Ú user group 'BoulderOffice'.

These attributes are:

"radius": {
      "reply": [
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Tunnel-Type",
          "value": "VLAN"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨,
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Tunnel-Private-Group-ID",
          "value": "34"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨,
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Tunnel-Medium-Type",
          "value": "IEEE-802"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨
ÌýÌýÌýÌýÌýÌý±Õ
ÌýÌýÌýÌý°¨

The value specified for the '-VLAN' parameter is populated for the value of Tunnel-Private-Group-ID.

Example 2

Set-JCRadiusReplyAttribute -GroupName "BoulderOffice" -NumberOfAttributes 2 -Attribute1_name "Session-Timeout" -Attribute1_value 200 -Attribute2_name "Termination-Action" -Attribute2_value 2

Updates two RADIUS attributes to the ºÚÁϺ£½Ç91Èë¿Ú user group 'BoulderOffice'.

These attributes are:

"radius": {
      "reply": [
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Session-Timeout",
          "value": "200"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨,
ÌýÌýÌýÌýÌýÌýÌýÌýµ÷
          "name": "Termination-Action",
          "value": "2"
ÌýÌýÌýÌýÌýÌýÌýÌý°¨
ÌýÌýÌýÌýÌýÌý±Õ
ÌýÌýÌýÌý°¨

The parameter '-NumberOfAttributes' is a dynamic parameter that generates two required parameters for each attribute specified. In this example these parameters are -Attribute1_name,-Attribute1_value, -Attribute2_name and -Attribute2_value.

If the Radius reply attribute being updated already exists on the target user group the value for this attribute is updated. If the Radius reply attribute does not exist the attribute is added.

Attributes must be valid RADIUS attributes..  If an invalid attribute is configured on a user group, users in the group are prevented from authenticating. 

Removing RADIUS Reply attributes from a user group

Example 1

Remove-JCRadiusReplyAttribute -GroupName "BoulderOffice" -All

Removes all RADIUS reply attributes from the ºÚÁϺ£½Ç91Èë¿Ú user group 'BoulderOffice' using the '-All' parameter.

Example 2

Remove-JCRadiusReplyAttribute -GroupName "BoulderOffice" -AttributeName "Session-Timeout", "Termination-Action"

Removes attributes with the name "Session-Timeout", "Termination-Action" from the target user group 'BoulderOffice'. To remove multiple attributes at one time separate the attribute names with commas.

Example 3

Remove-JCRadiusReplyAttribute -GroupName "BoulderOffice" -AttributeName "Tunnel-Type:2", "Tunnel-Medium-Type:2", "Tunnel-Private-Group-Id:2"

Removes VLAN attributes that have been added with VLAN tags. The attributes named "Tunnel-Type:2", "Tunnel-Medium-Type:2", "Tunnel-Private-Group-Id:2" are removed from the target user group 'BoulderOffice'.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case