Switch User Manual

ManualsBrandsEnterasys Networks ManualsSwitchSECURESTACK 9034313-07

791

792

793

794

795

796

797

798

799

800

Configuring Policy Maptable Response

SecureStack C3 Configuration Guide 26-53

Whenthemaptableresponseissettopolicymode,thesystemwillusetheFilter‐IDattributesin

theRADIUSreplytoapplyapolicytotheauthenticatinguserandwillignoreanytunnel

attributesintheRADIUS reply.Onthisplatform,whenpolicymodeisconfigured,noVLAN‐to‐

policymappingwilloccur.

Whenthemaptableresponseissettoboth,orhybridauthenticationmode,bothFilter‐ID

attributes(dynamicpolicyassignment)andtunnelattributes(dynamicVLANassignment)sentin

RADIUSserverAccess‐Acceptrepliesareusedtodeterminehowtheswitchshouldhandle

authenticatingusers.Onthisplatform,when

hybridauthenticationmodeisconfigured,VLAN‐to‐

policymappingcanoccur,asdescribedbelowin“WhenPolicyMaptableResponseis“Both””on

page 26‐53.

UsinghybridauthenticationmodeeliminatesthedependencyonhavingtoassignVLANs

throughpolicyroles—VLANscanbeassignedbymeansofthetunnelattributes

whilepolicy

rolescanbeassignedbymeansoftheFilter‐IDattributes.Alternatively,VLAN‐to‐policymapping

canbeusedtomappoliciestousersusingtheVLANspecifiedbythetunnelattributes,without

havingtoconfigureFilter‐IDattributesontheRADIUSserver.Thisseparationgives

administratorsmore

flexibilityinsegmentingtheirnetworksbeyondtheplatform’shardware

policyrolelimits.

Referto“RADIUSFilter‐IDAttributeandDynamicPolicyProfileAssignment”onpage 26‐3for

moreinformationaboutFilter‐IDattributesand“Configuring VLANAuthorization(RFC3580)”

onpage 26‐49formoreinformationabouttunnelattributes.

Operational Description

When Policy Maptable Response is “Both”

HybridauthenticationmodeusesbothFilter‐IDattributesandtunnelattributes.Toenablehybrid

authenticationmode,usethesetpolicymaptablecommandandsettheresponseparameterto

both.Whenconfiguredtousebothsetsofattributes:

•IfboththeFilter‐IDandtunnelattributesarepresentintheRADIUSreply,

thenthepolicy

profilespecifiedbytheFilter‐IDisappliedtotheauthenticatinguser,andifVLAN

authorizationisenabledgloballyandontheauthenticatinguser’sport,theVLANspecifiedby

thetunnelattributesisappliedtotheauthenticatinguser.

IfVLANauthorizationisnotenabled,theVLANspecified

bythepolicyprofileisapplied.See

“ConfiguringVLANAuthorization(RFC3580)”onpage 26‐49 forinformationaboutenabling

VLANauthorizationgloballyandonspecificports.

•IftheFilter‐IDattributesarepresentbutthetunnelattributesarenotpresent,thepolicy

profilespecifiedbytheFilter‐IDisapplied,

alongwiththeVLANspecifiedbythepolicy

profile.

•IfthetunnelattributesarepresentbuttheFilter‐IDattributesarenotpresentorareinvalid,

andifVLANauthorizationisenabledgloballyandontheauthenticatinguser’sport,thenthe

switchwillchecktheVLAN‐to‐policymappingtable(configured

withthesetpolicy

maptablecommand):

–IfanentrymappingthereceivedVLANIDtoavalidpolicyprofileisfound,thenthat

policyprofile,alongwiththeVLANspecifiedbythepolicyprofile,willbeappliedtothe

authenticatinguser.

–Ifnomatchingmappingtableentryisfound,theVLANspecified

bythetunnelattributes

willbeappliedtotheauthenticatinguser.

–IftheVLAN‐to‐policymappingtableisinvalid,thenthe

etsysPolicyRFC3580MapInvalidMappingMIBisincrementedandtheVLANspecifiedby

thetunnelattributeswillbeappliedtotheauthenticatinguser.