Specifications

ManualsBrandsEnterasys ManualsComputer equipment802.1Q

Authentication Overview

April 15, 2011 Page 13 of 36

authorizationisenabledgloballyandontheauthenticatinguser’sport,theVLANspecifiedby

thetunnelattributesisappliedtotheauthenticatinguser.

IfVLANauthorizationisnotenabled,theVLANspecifiedbythepolicyprofileisapplied.See

“RFC3580”onpage 10forinformationaboutVLANauthorization.

•Ifthe

Filter‐IDattribut esarepresentbutthetunnelattributesarenotpresent,thepolicy

profilespecifiedbytheFilter‐IDisapplied,alongwiththeVLANspecifiedbythepolicy

profile.

•IfthetunnelattributesarepresentbuttheFilter‐IDattributesarenotpresent,andifVLAN

authorizationisenabled

globallyandontheauthenticatinguser’sport,thentheswitchwill

checktheVLAN‐to‐policymappingtable(configuredwiththesetpolicymaptable

command):

–IfanentrymappingthereceivedVLANIDtoapolicyprofileisfound,thenthatpolicy

profile,alongwiththeVLANspecifiedbythepolicy

profile,willbeappliedtothe

authenticatinguser.

–Ifnomatchingmappingtableentryisfound,theVLANspecifiedbythetunnelattributes

willbeappliedtotheauthenticatinguser.

–IftheVLAN‐to‐policymappingtableisinvalid,thenthe

etsysPolicyRFC3580MapInvalidMappingMIBisincrementedandtheVLANspecifiedby

thetunnel

attributeswillbeappliedtotheauthenticatinguser.

IfVLANauthorizationisnotenabled,thetunnelattributesareignored.

When Policy Maptable Response is “Profile”

WhentheswitchisconfiguredtouseonlyFilter‐IDattributes,bysettingthesetpolicymaptable

commandresponseparametertopolicy:

•IftheFilter‐IDattributesarepresent,thespecifiedpolicyprofilewillbeappliedtothe

authenticatinguser.IfnoFilter‐IDattributesarepresent,thedefaultpolicy(if

itexists)willbe

applied.

•Ifthetunnelattributesarepresent,theyareignored.NoVLAN‐to‐policymappingwilloccur.

When Policy Maptable Response is “Tunnel”

Whentheswitchisconfiguredtouseonlytunnelattributes,bysettingthesetpolicymaptable

commandresponseparametertotunnel,andifVLANauthorizationisenabledbothgloballyand

ontheauthenticatinguser’sport:

•Ifthetunnelattributesarepresent,the sp ecifiedVLANwillbeappliedtotheauthenticating

user.

VLAN‐to‐policymappingcanoccuronamodularswitchplatform;VLAN‐to‐policy

mappingwillnotoccuronastackablefixedswitchorstandalonefixedswitchplatform.

•Ifthetunnelattributesarenotpresent,thedefaultpolicyVLANwillbeapplied;ifthedefault

policyVLANisnotconfigured,the

portVLANwillbeapplied.

•IftheFilter‐IDattributesarepresent,theyareignored.

IfVLANauthorizationisnotenabled,theuserwillbeallowedontotheportwiththedefault

policy,ifitexists.Ifnodefaultpolicyexists,theportVLANwillbeapplied.