Specifications

ManualsBrandsEnterasys ManualsComputer equipment802.1Q

Authentication Overview

April 15, 2011 Page 10 of 36

RFC 3580

EnterasysswitchessupporttheRFC3580RADIUStunnelattributefordynamicVLAN

assignment.TheVLAN‐Tunnel‐Attributeimplementstheprovisioningofserviceinresponsetoa

successfulau thentication.Onportsthatdonotsupportpolicy,thepacketwillbetaggedwiththe

VLAN‐ID.TheVLAN‐Tunnel‐Attributedefinesthebase

VLAN‐IDtobeappliedtothe user.

Dynamic VLAN Assignment

TheRADIUSservermayoptionallyincludeRADIUStunnelattributesinaRADIUS

Access‐AcceptmessagefordynamicVLANassignmentoftheauthenticatedendsystem.

RFC3580’sRADIUStunnelattributesare oftenconfiguredonaRADIUS servertodynamically

assignusersbelongingtothesameorganizationalgroupwithinanenterprisetothe

sameVLAN,

ortoplacealloffendingusersaccordingtotheorganization’ssecuritypolicyinaQuarantine

VLAN.Tunnelattributesaredeployedforenterprisesthathaveendsy stemauthentication

configuredonthenetwork.Forexample,allengineerscanbedynamicallyassignedtothesame

VLANuponauthentication,whilesalesareassigned

toanotherVLANuponauthentication.

ThenameofthefeatureonEnterasysplatformsthatimplementsdynamicVLANassignment

throughthereceiptofRADIUStunnelattributesisVLANauthorization.VLANauthorization

dependsuponreceiptoftheRFC3580RADIUStunnelattributesinRADIUSAccess‐Accept

messages.VLANauthorizationmustbeenabledglobally

andonaper‐portbasisfortheTunnel

attributestobeprocessed.Whendisabledperportorglobally,thedevicewillnotprocessTunnel

attributes.

ThefirmwaresupportsVLANauthorizationonthemodularswithches,stackablefixedswitches,

andstandalonefixedsw itches.

Bydefault,allpolicy‐capableEnterasysplatformswill

dynamicallyassignapolicyprofiletothe

portofanauthenticatinguserbasedonthereceiptoftheFilter‐IDRADIUSattribute.Thisisnot

thecasefor RADIUStunnelattributesinthat,bydefault,VLANauthorizationisdisabled.

TheN‐Series,startinginfirmwarerelease5.31.xx,theS‐Series,and

K‐Seriesplatformssupport

RFC3580RADIUSVLANTunnelattributes.

VLAN Authorization Attributes

ThreeTu nnelattributesareusedfordynamicVLANAuthorization:

•Tunnel‐Typeattribute(Type=64,Length=6,Tag=0,Value=0x0DforVLAN)

•Tunnel‐Medium‐Typeattribute(Type=65,Length=6,Tag=0,Value=0x06for802media)

•Tunnel‐Private‐Group‐IDattribute(Type=81,Length>=3 ,String=VIDinASCII)

TheTunnel‐Typeattributeindicatesthetunnelingprotocoltobeusedwhenthisattribute

is

formattedinRADIUSAccess‐Requestmessages,orthetunnelprotocolinusewhenthisattribute

isformattedinRADIUSAccess‐Acceptmessages.SetTunnel‐Typeattributeparametersas

follows:

•Type:Setto64forTunnel‐TypeRADIUSattribute

•Length:Setto6forsix‐bytelengthofthisRADIUSattribute

•Tag:

Providesameansofgroupingattributesinthesamepacketwhichrefertothesame

tunnel.Validvaluesforthisfieldarefrom0x01through0x1F,inclusive.Setto0ifunused.

Unlessalternativetunneltypesareprovided,itisonlynecessaryfortunnelattributesto

specifyasingletunnel.

Asaresult,whereitisonlydesiredtospecifytheVLAN‐ID,thetag

fieldshouldbesettozero(0x00)inalltunnelattributes.