Switch User Manual

ManualsBrandsEnterasys Networks ManualsSwitchSECURESTACK 9034313-07

791

792

793

794

795

796

797

798

799

800

Configuring VLAN Authorization (RFC 3580)

SecureStack C3 Configuration Guide 26-49

Thesecondpolicyrole,fortheuser,caneitherbestaticallyconfiguredwiththedefaultpolicyrole

ontheportordynamicallyassignedthroughauthenticationtothenetwork(usingaRADIUS

Filter‐ID).Whenthedefaultpolicyroleisassignedonaport,theVLANsetastheportʹsPVID

is

mappedtothedefaultpolicyrole.Whenapolicyroleisdynamicallyappliedtoauserastheresult

ofasuccessfullyauthenticatedsession,the“authenticatedVLAN”ismappedtothepolicyroleset

intheFilter‐IDreturnedfromtheRADIUSserver.The“authenticatedVLAN”mayeitherbe

the

PVIDoftheport,ifthePVIDOverrideforthepolicyprofileisdisabled,ortheVLANspecifiedin

thePVIDOverrideifthePVIDOverrideisenabled.

Configuring VLAN Authorization (RFC 3580)

Purpose

RFC3580TunnelAttributesprovideamechanismtocontainan802.1X,MAC,orPWA

authenticatedusertoaVLANregardlessofthePVID.ThisisreferredtoasdynamicVLAN

assignment.

Pleaseseesection3‐31ofRFC3580fordetailsonconfiguringaRADIUSservertoreturnthe

desiredtunnel

attributes.AsstatedinRFC3580,“...itmaybedesirabletoallow aporttobeplaced

intoaparticularVirtualLAN(VLAN),definedin[IEEE8021Q],basedontheresultofthe

authentication.”

TheRADIUSservertypicallyindicatesthedesiredVLANbyincludingtunnelattributeswithinits

Access‐Acceptparameters.

However,theIEEE802.1XorMACauthenticatorcanalsobe

configuredtoinstructtheVLANtobeassignedtothesupplicantbyincludingtunnelattributes

withinAccess‐Requestparameters.

ThefollowingtunnelattributesareusedinVLANauthorizationassignment:

•Tunnel‐Type‐VLAN(13)

•Tunnel‐Medium‐Type‐802

•Tunnel‐Private‐Group‐ID‐VLANID

InordertoauthenticateRFC3580users,policymaptableresponsemustbesettotunnelas

describedin“ConfiguringPolicyMaptableResponse”onpage 26‐52.

Commands

Note: A policy license, if applicable, is not required to deploy RFC 3580 dynamic VLAN

assignment.

For information about... Refer to page...

set vlanauthorization 26-50

set vlanauthorization egress 26-50

clear vlanauthorization 26-51

show vlanauthorization 26-51