Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

201

202

203

204

205

206

207

208

209

210

Policy Overview

May 18, 2009 Page 6 of 32

UsethesetpolicymaptablecommandspecifyingasingleVLANIDorrangeofIDsandthepolicy

profile‐indextocreateapolicymaptableentry.

Applying Policy Using the RADIUS Response Attributes

Ifanauthenticationmethodthatrequirescommunicationwithanauthenticationserveris

configuredforauser,theRADIUS filter‐IDattributecanbeusedtodynamicallyassignapolicy

roletotheauthenticatinguser.SupportedRADIUSattributesaresenttotheswitchintheRADIUS

access‐acceptmessage.TheRADIUSfilter

‐IDcanalsobeappliedinhybridauthenticationmode.

HybridauthenticationmodedetermineshowtheRADIUSfilter‐IDandthethreeRFC3580VLAN

tunnelattributes(VLANAuthorization),wheneitherorallareincludedintheRADIUS

access‐acceptmessage,willbehandledbytheswitch.ThethreeVLANtunnel

attributesdefinethe

baseVLAN‐IDtobeappliedtotheuser.Ineithercase,conflictresolutionbetweenRADIUS

attributesisprovidedbythemaptableresponsefeature.

PleaseseetheConfiguringUserAuthenticationfeatureguidelocatedat

http://secure.enterasys.com/support/manuals/foradiscussionofRADIUSconfiguration,the

RADIUSfilter‐ID,andVLANauthorization.

Use

thepolicyoptionofthesetpolicymaptableresponsecommandtoconfiguretheswitchto

dynamicallyassignapolicyusingtheRADIUSfilter‐IDintheRADIUSresponsemessage.

Applying Policy Using Hybrid Authentication Mode

Enhanced Policy

Hybridauthenticationisanauthenticationcapabilitythatallowstheswitchtouseboththe

filter‐IDandtunnelattributesintheRADIUSresponsemessagetodeterminehowtotreatthe

authenticatinguser.

Hybridauthenticationisconfiguredbyspecifyingthebothoptioninthesetpolicymaptable

command.Thebothoption:

•Applies

theVLANtunnelattributesiftheyexistandthefilter‐IDattributedoesnot

•Appliesthefilter‐IDattributeifitexistsandtheVLANtunnelattributesdonot

Note: VLAN-to-Policy mapping is supported on the B3, C3, and G3 switches for firmware releases

6.3 and greater.

Note: VLAN-to-policy mapping to maptable response configuration behavior is as follows:

• If the RADIUS response is set to policy, any VLAN-to-policy maptable configuration is ignored

for all platforms.

• If the RADIUS response is set to tunnel, VLAN-to-policy mapping can occur on an N-Series

platform; VLAN-to-policy mapping will not occur on a SecureStack or standalone platform.

• If the RADIUS response is set to both and both the filter-ID and tunnel attributes are present,

VLAN-to-policy mapping configuration is ignored. See the “When Policy Maptable Response is

Both” section of the Configuring User Authentication feature guide for exceptions to this

behavior.

Note: Hybrid authentication is an enhanced policy capability. For the B3, C3, and G3 platforms,

hybrid authentication is supported for Releases 6.3 and greater.