C
HAPTER
13
| Security Measures
Network Access (MAC Address Authentication)
– 330 –
◆ The RADIUS server may optionally return a VLAN identifier list to be
applied to the switch port. The following attributes need to be
configured on the RADIUS server.
■
Tunnel-Type = VLAN
■
Tunnel-Medium-Type = 802
■
Tunnel-Private-Group-ID = 1u,2t [VLAN ID list]
The VLAN identifier list is carried in the RADIUS “Tunnel-Private-Group-
ID” attribute. The VLAN list can contain multiple VLAN identifiers in the
format “1u,2t,3u” where “u” indicates an untagged VLAN and “t” a
tagged VLAN.
◆ The RADIUS server may optionally return dynamic QoS assignments to
be applied to a switch port for an authenticated user. The “Filter-ID”
attribute (attribute 11) can be configured on the RADIUS server to pass
the following QoS information:
◆ Multiple profiles can be specified in the Filter-ID attribute by using a
semicolon to separate each profile.
For example, the attribute “service-policy-in=pp1;rate-limit-
input=100” specifies that the diffserv profile name is “pp1,” and the
ingress rate limit profile value is 100 kbps.
◆ If duplicate profiles are passed in the Filter-ID attribute, then only the
first profile is used.
For example, if the attribute is “service-policy-in=p1;service-policy-
in=p2”, then the switch applies only the DiffServ profile “p1.”
◆ Any unsupported profiles in the Filter-ID attribute are ignored.
For example, if the attribute is “map-ip-dscp=2:3;service-policy-
in=p1,” then the switch ignores the “map-ip-dscp” profile.
◆ When authentication is successful, the dynamic QoS information may
not be passed from the RADIUS server due to one of the following
conditions (authentication result remains unchanged):
■
The Filter-ID attribute cannot be found to carry the user profile.
■
The Filter-ID attribute is empty.
Table 19: Dynamic QoS Profiles
Profile Attribute Syntax Example
DiffServ service-policy-in=policy-map-name service-policy-in=p1
Rate Limit rate-limit-input=rate rate-limit-input=100
(in units of Kbps)
802.1p switchport-priority-default=value switchport-priority-default=2
IP ACL ip-access-group-in=ip-acl-name ip-access-group-in=ipv4acl
IPv6 ACL ipv6-access-group-in=ipv6-acl-name ipv6-access-group-in=ipv6acl
MAC ACL mac-access-group-in=mac-acl-name mac-access-group-in=macAcl
To Next Page
Loading...
Need help?
General
