Enterasys b5

To Next Page

To Previous Page

Configuring VLAN Authorization (RFC 3580)

Enterasys B5 CLI Reference 22-49

Thesecondpolicyrole,fortheuser,caneitherbestaticallyconfiguredwiththedefaultpolicyrole

ontheportordynamicallyassignedthroughauthenticationtothenetwork(usingaRADIUS

Filter‐ID).Whenthedefaultpolicyroleisassignedonaport,theVLANsetastheportʹsPVID

is

mappedtothedefaultpolicyrole.Whenapolicyroleisdynamicallyappliedtoauserastheresult

ofasuccessfullyauthenticatedsession,the“authenticatedVLAN”ismappedtothepolicyroleset

intheFilter‐IDreturnedfromtheRADIUSserver.The“authenticatedVLAN”mayeitherbe

the

PVIDoftheport,ifthePVIDOverrideforthepolicyprofileisdisabled,ortheVLANspecifiedin

thePVIDOverrideifthePVIDOverrideisenabled.

Configuring VLAN Authorization (RFC 3580)

Purpose

RFC3580TunnelAttributesprovideamechanismtocontainan802.1X,MAC,orPWA

authenticatedusertoaVLANregardlessofthePVID.ThisisreferredtoasdynamicVLAN

assignment.

Pleaseseesection3‐31ofRFC3580fordetailsonconfiguringaRADIUSservertoreturnthe

desiredtunnel

attributes.AsstatedinRFC3580,“...itmaybedesirabletoallowaporttobeplaced

intoaparticularVirtualLAN(VLAN),definedin[IEEE8021Q],basedontheresultofthe

authentication.”

TheRADIUSservertypicallyindicatesthedesiredVLANbyincludingtunnelattributeswithinits

Access‐Acceptparameters.

However,theIEEE802.1XorMACauthenticatorcanalsobe

configuredtoinstructtheVLANtobeassignedtothesupplicantbyincludingtunnelattributes

withinAccess‐Requestparameters.

ThefollowingtunnelattributesareusedinVLANauthorizationassignment: 

•Tunnel‐Type‐VLAN(13)

•Tunnel‐Medium‐Type‐802

•Tunnel‐Private‐Group‐ID‐VLANID

InordertoauthenticateRFC3580users,policymaptableresponsemustbesettotunnelas

describedin“ConfiguringPolicyMaptableResponse”onpage 22‐52.

Commands

Note: A policy license, if applicable, is not required to deploy RFC 3580 dynamic VLAN

assignment.

For information about... Refer to page...

set vlanauthorization 22-50

set vlanauthorization egress 22-50

clear vlanauthorization 22-51

show vlanauthorization 22-51