Support Center

Implement RADIUS Reply Attributes, like VLAN Tagging, using JumpCloud

A single physical network can be segmented into multiple networks using Virtual Local Area Networks (VLANs)*. Implementing VLANs allows IT teams to drastically increase network security by isolating network devices from one another to ensure they can only access and communicate with the endpoints that they should have explicit access to.  Using VLANs can prevent a bad actor from gaining access to sensitive company data in the event of a breach by stopping this bad actor at the network layer. VLANs can also increase network performance by limiting broadcast domains. 
 

*Note that implementing VLANs within a network requires LAN configuration on switches, routers, and firewalls and is a pre-requisite that must be met prior to attempting to use JumpCloud RADIUS reply attributes. 

RADIUS reply attributes, like VLAN tagging, can be configured on JumpCloud user groups using functions in the JumpCloud PowerShell module. When applied, these attributes will be returned in the Access-Accept message of a RADIUS request. Reply attributes are specified on JumpCloud user groups. Attributes can be applied across multiple users and RADIUS servers through the association of JumpCloud users to JumpCloud user groups and then the association of these JumpCloud user groups to RADIUS servers.

Any RADIUS reply attributes configured on a JumpCloud user group which associates a user to a RADIUS server will be returned in the Access-Accept message sent to the endpoint configured to authenticate with JumpCloud Radius. If a user is a member of more then one JumpCloud user group associated with a given RADIUS server all Reply attributes for the groups that associate the user to the RADIUS server will be returned in the Access-Accept message.

If a user is a member of more then one JumpCloud user group associated with a given RADIUS server and these groups are configured with conflicting RADIUS reply attributes then the values of the attributes for the group that was created most recently will be returned in the Access-Accept message.

RADIUS reply attribute conflicts are resolved based on the creation date of the user group where groups that are created more recently take precedent over older groups. Conflicts occur when groups are configured with the same RADIUS reply attributes and have conflicting attribute values. RADIUS reply attributes with the same attribute names but different tag values do not create conflicts.

Four functions within the JumpCloud PowerShell module allow admins to add, update, remove, and report on the RADIUS reply attributes and their application to user groups in JumpCloud. Find detailed examples of how to use these functions below*.

**You must be running version of 1.9.0 or later of the JumpCloud PowerShell module to access these functions**

Need to install the JumpCloud PowerShell module? Follow this link to find steps for installing the module on Mac, Windows, and Linux in a few quick steps.

 

Adding Radius Reply Attributes to a user group

Example 1
Add-JCRadiusReplyAttribute -GroupName "BoulderOffice" -VLAN 24 

By specifying the '-VLAN' parameter three RADIUS attributes are added to the JumpCloud user group 'BoulderOffice'.

These attributes are:

"radius": {
      "reply": [
        {
          "name": "Tunnel-Type",
          "value": "VLAN"
        },
        {
          "name": "Tunnel-Private-Group-ID",
          "value": "24"
        },
        {
          "name": "Tunnel-Medium-Type",
          "value": "IEEE-802"
        }
      ]
    } 

The value specified for the '-VLAN' parameter is populated for the value of Tunnel-Private-Group-ID.

Example 2
Add-JCRadiusReplyAttribute -GroupName "BoulderOffice" -VLAN 24 -VLANTag 3 

By specifying the '-VLAN' parameter three RADIUS attributes are added to the JumpCloud user group 'BoulderOffice'. The use of '-VLANTag' appends each VLAN attribute with a colon and the tag number specified. These attributes are:

"radius": {
      "reply": [
        {
          "name": "Tunnel-Type:3",
          "value": "VLAN"
        },
        {
          "name": "Tunnel-Private-Group-ID:3",
          "value": "24"
        },
        {
          "name": "Tunnel-Medium-Type:3",
          "value": "IEEE-802"
        }
      ]
    } 

The value specified for the '-VLAN' parameter is populated for the value of Tunnel-Private-Group-ID.

Tags must be an integer between the range of 1-31, to comply with RFC 2868, which states that the tag field must be a single octet in length.

Example 3
Add-JCRadiusReplyAttribute -GroupName "BoulderOffice" -NumberOfAttributes 2 -Attribute1_name "Session-Timeout" -Attribute1_value 100 -Attribute2_name "Termination-Action" -Attribute2_value 1 

Adds two RADIUS attributes to the JumpCloud user group 'BoulderOffice'.

These attributes are:

 "radius": {
      "reply": [
        {
          "name": "Session-Timeout",
          "value": "100"
        },
        {
          "name": "Termination-Action",
          "value": "1"
        }
      ]
    } 

The parameter '-NumberOfAttributes' is a dynamic parameter that generates two required parameters for each attribute specified. In this example these parameters are -Attribute1_name,-Attribute1_value, -Attribute2_name and -Attribute2_value.
 

Attributes must be valid RADIUS attributes. Find a list of valid RADIUS attributes within the dictionary files of this repro broken down by vendor. If an invalid attribute is configured on a user group this will prevent users within this group from being able to authenticate via RADIUS until the invalid attribute is removed. 

 

Example 4
Add-JCRadiusReplyAttribute -GroupName "BoulderOffice" -NumberOfAttributes 2 -Attribute1_name "Session-Timeout:3" -Attribute1_value 100 -Attribute2_name "Termination-Action:3" -Attribute2_value 1 

Adds two RADIUS attributes to the JumpCloud user group 'BoulderOffice' and demonstrates how to configure RADIUS tags using a colon and tag number.

These attributes are:

"radius": {
      "reply": [
        {
          "name": "Session-Timeout:3",
          "value": "100"
        },
        {
          "name": "Termination-Action:3",
          "value": "1"
        }
      ]
    } 

The parameter '-NumberOfAttributes' is a dynamic parameter that generates two required parameters for each attribute specified. In this example these parameters are -Attribute1_name,-Attribute1_value, -Attribute2_name and -Attribute2_value.

Attributes must be valid RADIUS attributes. Find a list of valid RADIUS attributes within the dictionary files of this repro broken down by vendor. If an invalid attribute is configured on a user group this will prevent users within this group from being able to authenticate via RADIUS until the invalid attribute is removed. 

Querying RADIUS Reply Attributes on a JumpCloud user group

Example
Get-JCRadiusReplyAttribute -GroupName "BoulderOffice" 

Returns the RADIUS reply attributes associated with the JumpCloud user group 'BoulderOffice'.

Updating RADIUS Reply Attributes on a JumpCloud user group

Example 1
Set-JCRadiusReplyAttribute -GroupName "BoulderOffice" -VLAN 34 

By specifying the '-VLAN' parameter three RADIUS attributes are updated on the JumpCloud user group 'BoulderOffice'.

These attributes are:

"radius": {
      "reply": [
        {
          "name": "Tunnel-Type",
          "value": "VLAN"
        },
        {
          "name": "Tunnel-Private-Group-ID",
          "value": "34"
        },
        {
          "name": "Tunnel-Medium-Type",
          "value": "IEEE-802"
        }
      ]
    } 

The value specified for the '-VLAN' parameter is populated for the value of Tunnel-Private-Group-ID.

Example 2
Set-JCRadiusReplyAttribute -GroupName "BoulderOffice" -NumberOfAttributes 2 -Attribute1_name "Session-Timeout" -Attribute1_value 200 -Attribute2_name "Termination-Action" -Attribute2_value 2 

Updates two RADIUS attributes to the JumpCloud user group 'BoulderOffice'.

These attributes are:

 "radius": {
      "reply": [
        {
          "name": "Session-Timeout",
          "value": "200"
        },
        {
          "name": "Termination-Action",
          "value": "2"
        }
      ]
    } 

The parameter '-NumberOfAttributes' is a dynamic parameter that generates two required parameters for each attribute specified. In this example these parameters are -Attribute1_name,-Attribute1_value, -Attribute2_name and -Attribute2_value.

If the Radius reply attribute being updated already exists on the target user group the value for this attribute is updated. If the Radius reply attribute does not exist the attribute is added.

Attributes must be valid RADIUS attributes. Find a list of valid RADIUS attributes within the dictionary files of this repro broken down by vendor. If an invalid attribute is configured on a user group this will prevent users within this group from being able to authenticate via RADIUS until the invalid attribute is removed. 

Removing RADIUS Reply attributes from a JumpCloud user group

Example 1
Remove-JCRadiusReplyAttribute -GroupName "BoulderOffice" -All 

Removes all RADIUS reply attributes from the JumpCloud user group 'BoulderOffice' using the '-All' parameter.
 

Example 2
Remove-JCRadiusReplyAttribute -GroupName "BoulderOffice" -AttributeName "Session-Timeout", "Termination-Action" 

Removes attributes with the name "Session-Timeout", "Termination-Action" from the target user group 'BoulderOffice'. To remove multiple attributes at one time separate the attribute names with commas.

 
Example 3
Remove-JCRadiusReplyAttribute -GroupName "BoulderOffice" -AttributeName "Tunnel-Type:2", "Tunnel-Medium-Type:2", "Tunnel-Private-Group-Id:2" 

Removes VLAN attributes that have been added with VLAN tags. The attributes named "Tunnel-Type:2", "Tunnel-Medium-Type:2", "Tunnel-Private-Group-Id:2" are removed from the target user group 'BoulderOffice'.

 
 

Last Updated: Dec 05, 2018 08:53AM MST

Related Articles
desk-forwarding@jumpcloud.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete