Specifications

Configuring Authentication

April 15, 2011 Page 26 of 36

IftheauthenticationserverreturnsaninvalidpolicyorVLANtoaswitchforanauthenticating

supplicant,aninvalidactionofforward,drop,ordefaultpolicycanbeconfigured.

Procedure 13describessettingdynamicpolicyprofileassignmentandinvalidpolicyaction

configuration.

Configuring RADIUS

Youcanset,clear,anddisplayRADIUSconfigurationforbothau thenticationandaccounting.

Configuring the Authentication Server

Therearefouraspectstoconfiguringtheauthenticationserver:

• StateenablesordisablestheRADIUSclientforthisswitch.

• Establishmen tvaluesconfigureatimersettingthelengthoftimebeforeretries,aswellasthe

numberofretries,beforetheswitchdeterminestheauthenticationserverisdownand

attemptstoestablish

withthenextserverinitslist.

• ServeridentificationprovidesfortheconfigurationoftheserverIPaddressandindexvalue.

Theindexdeterminestheorderinwhichtheswitchwillattempttoestablishasessionwithan

authenticationserver.AftersettingtheindexandIPaddressyouareprompted

toentera

secretvalueforthisauthenticationserver.Anyauthenticationrequeststothisauthentication

servermustpresentthecorrectsecretvaluetogainauthentication.

•Therealmprovidesforconfigurationscopeforthisserver:managementaccess,network

access,orboth.

FirmwaresupportstheconfigurationofmultipleASs.Thelowestindexvalue

associatedwiththe

serverdeterminestheprimaryserver.Iftheprimary serverisdown,theoperationalserverwith

thenextlowestindexvalueisused. Iftheswitchfailstoestablishcontactwiththeauthentication

serverbeforeaconfiguredtimeout,theswitchwillretryfortheconfigurednumberoftimes.

Servers

canberestrictedtomanagementaccessornetworkaccessauthenticationbyconfiguring

therealmoption.

Procedure 13 Policy Profile Assignment and Invalid Action Configuration

Step Task Command(s)

1. Identify the profile index to be used in the

VID-to-policy mapping.

show policy profile all

2. Map the VLAN ID to the profile index. set policy maptable {vlan-list profile-index |

response {tunnel | policy | both}}

3. Display the current maptable configuration. show policy maptable.

4. Set the action to take when an invalid policy or

VLAN is received by the authenticating switch.

set policy invalid action {default-policy |

drop | forward}

Note: Dynamic policy profile assignment is supported on the Matrix E1 and modular

switch platforms.