Specifications

ManualsBrandsEnterasys ManualsComputer equipment802.1Q

Authentication Overview

April 15, 2011 Page 12 of 36

•AproblemwithmovinganendsystemtoanewVLANisthattheendsystemmustbeissued

anIPaddressonthenewVLAN’ssubnettowhichithasbecomeamember.Iftheendsystem

doesnotyethaveanIPaddress,thisisnotusuallyaproblem.

However,iftheendsystemhas

anIPaddress,theleaseoftheaddressmusttimeoutbeforeitattemptstoobtainanew

address,whichmaytakesometime.TheIPaddressassignmentprocess,implementedby

DHCP,andtheauthenticationprocessarenotconjoinedontheendsystem.Therefore,

this

leadstoendsystemspossessinganinvalidIPaddressafterdynamicVLANAu thorizationand

lostIPconnectivityuntilitscurrentIPaddresstimesout.Furthermore,whenanewIPaddress

iseventuallyassignedtotheendsystem,IPconnectivityisdisruptedforallapplicationson

theendsystem.

Policy Maptable Response

Thepolicymaptableresponse,orconflictresolution,featureallowsyoutodefinehowthesystem

shouldhandleallowinganauthenticateduserontoaportbasedonthecontentsoftheRADIUS

Acceptmessagereply.Therearethreepossibleresponsesettings:tunnelmode,policymode,or

bothtunnelandpolicy,alsoknown

ashybridauthenticationmode.

Whenthemaptableresponseissettotunnelmode,thesystemwillusethetunnelattributesinthe

RADIUSreplytoapplyaVLANtotheauthenticatinguserandwillignoreanyFilter‐IDattributes

intheRADIUSreply.Whentunnelmodeisconfigured,VLAN‐to‐policy

mappingcanoccurif

configuredonamodularswitchplatform.VLAN‐to‐policymappingwillnotoccurintunnel

modeonastackablefixedswitchorstandalonefixedswitchplatform.

Whenthemaptableresponseissettopolicymode,thesystemwillusetheFilter‐IDattributesin

theRADIUS

replytoapplyapolicytotheauthenticatinguserandwillignoreanytunnel

attributesintheRADIUS reply.Whenpolicymodeisconfigured,noVLAN‐to‐policymapping

willoccur.

Whenthemaptableresponseissettoboth,orhybridauthenticationmode,bothFilter‐ID

attributes(dynamicpolicyassignment)and

tunnelattributes(dynamicVLANassignment)sentin

RADIUSAcceptmessagerepliesareusedtodeterminehowtheswitchshouldhandle

authenticatingusers.Whenhybridauthenticationmodeisconfigured,VLAN‐to‐policymapping

canoccur,asdescribedbelowinWhenPolicyMaptableResponseis“Both”.

Usinghybridauthenticationmodeeliminatesthe

dependencyonhavingtoassignVLANs

throughpolicyroles—VLANscanbeassignedbymeansofthetunnelattribu teswhilepolicy

rolescanbeassignedbymeansoftheFilter‐IDattributes.Alternatively,onmodularswitch

platforms,VLAN‐to‐policymappingcanbeusedtomappoliciestousersusing

theVLAN

specifiedbythetunnelattributes,withouthavingtoconfigureFilter‐IDattributesontheRADIUS

server.Thisseparationgivesadministratorsmoreflexibilityinsegmentingtheirnetworksbeyond

theplatform’spolicyrolelimits.

When Policy Maptable Response is “Both”

HybridauthenticationmodeusesbothFilter‐IDattributesandtunnelattributes.Toenablehybrid

authenticationmode,usethesetpolicymaptablecommandandsettheresponseparameterto

both.Whenconfiguredtousebothsetsofattributes:

•IfboththeFilter‐IDandtunnelattributesarepresentintheRADIUSreply,

thenthepolicy

profilespecifiedbytheFilter‐IDisappliedtotheauthenticatinguser,andifVLAN

Note: Hybrid authentication is supported by modular switch devices, B-Series and C-Series

stackable fixed switches and the G3 device for Releases 6.3 and greater.