Enterasys b5

To Next Page

To Previous Page

Configuring Policy Maptable Response

Enterasys B5 CLI Reference 22-53

Whenthemaptableresponseissettopolicymode,thesystemwillusetheFilter‐IDattributesin

theRADIUSreplytoapplyapolicytotheauthenticatinguserandwillignoreanytunnel

attributesintheRADIUS reply.Onthisplatform,whenpolicymodeisconfigured,noVLAN‐to‐

policymappingwilloccur.

Whenthemaptableresponseissettoboth,orhybridauthenticationmode,bothFilter‐ID

attributes(dynamicpolicyassignment)andtunnelattribu tes(dynamicVLANassignment)sentin

RADIUSserverAccess‐Acceptrepliesareusedtodeterminehowtheswitchshouldhandle

authenticatingusers.Onthisplatform,when

hybridauthenticationmodeisconfigured,VLAN‐to‐

policymappingcanoccur,asdescribedbelowin“WhenPolicyMaptableResponseis“Both””on

page 22‐53.

UsinghybridauthenticationmodeeliminatesthedependencyonhavingtoassignVLANs

throughpolicyroles—VLANscanbeassignedbymeansofthetunnelattributes

whilepolicy

rolescanbeassignedbymeansoftheFilter‐IDattributes.Alternatively,VLAN‐to‐policymapping

canbeusedtomappoliciestousersusingtheVLANspecifiedbythetunnelattributes,without

havingtoconfigureFilter‐IDattributesontheRADIUSserver.Thisseparationgives

administratorsmore

flexibilityinsegmentingtheirnetworksbeyondtheplatform’shardware

policyrolelimits.

Referto“RADIUSFilter‐IDAttributeand DynamicPolicyProfileAssignment”onpage 22‐3for

moreinformationaboutFilter‐IDattributesand“ConfiguringVLANAuthorization(RFC3580)”

onpage 22‐49formoreinformationabouttunnelattributes.

Operational Description

When Policy Maptable Response is “Both”

HybridauthenticationmodeusesbothFilter‐IDattributesandtunnelattributes.Toenablehybrid

authenticationmode,usethesetpolicymaptablecommandandsettheresponseparameterto

both.Whenconfiguredtousebothsetsofattributes:

•IfboththeFilter‐IDandtunnelattributesarepresentintheRADIUSreply,

thenthepolicy

profilespecifiedbytheFilter‐IDisappliedtotheauthenticatinguser,andifVLAN

authorizationisenabledgloballyandonthe authenticatinguser’sport,theVLANspecifiedby

thetunnelattributesisappliedtotheauthenticatinguser.

IfVLANauthorizationisnotenabled,theVLANspecified

bythepolicy profileisapplied.See

“ConfiguringVLANAuthorization(RFC3580)”onpage 22‐49forinformationaboutenabling

VLANauthorizationgloballyandonspecificports.

•IftheFilter‐IDattributesarepresentbutthetunnelattributesarenotpresent,thepolicy

profilespecifiedbytheFilter‐IDisapplied,

alongwiththeVLANspecifiedbythepolicy

profile.

•IfthetunnelattributesarepresentbuttheFilter‐IDattributesarenotpresentorareinvalid,

andifVLANauthorizationisenabledgloballyandontheauthenticatinguser’sport,thenthe

switchwillchecktheVLAN‐to‐policymappingtable(configured

withthesetpolicy

maptablecommand):

–IfanentrymappingthereceivedVLANIDtoavalidpolicyprofileisfound,thenthat

policyprofile,alongwiththeVLANspecifiedbythepolicyprofile,willbeappliedtothe

authenticatinguser.

–Ifnomatchingmappingtableentryisfound,theVLANspecified

bythetunnelattributes

willbeappliedtotheauthenticatinguser.

–IftheVLAN‐to‐policymappingtableisinvalid,thenthe

etsysPolicyRFC3580MapInvalidMappingMIBisincrementedandtheVLANspecifiedby

thetunnelattributeswillbeappliedtotheauthenticatinguser.

Table of Contents