User Authentication Overview
10-10 Configuring User Authentication
• Value: Indicates the type of tunnel. A value of 0x06 indicates that the tunneling medium
pertains to 802 media (including Ethernet)
Tunnel-Private-Group-ID attribute indicates the group ID for a particular tunneled session. Set the
Tunnel-Private-Group-ID attribute parameters as follows:
• Type: Set to 81 for Tunnel-Private-Group-ID RADIUS attribute
• Length: Set to a value greater than or equal to 3.
• Tag: Provides a means of grouping attributes in the same packet which refer to the same
tunnel. Valid values for this field are from 0x01 through 0x1F, inclusive. Set to 0 if unused.
Unless alternative tunnel types are provided, it is only necessary for tunnel attributes to
specify a single tunnel. As a result, where it is only desired to specify the VLANID, the tag
field should be set to zero (0x00) in all tunnel attributes.
• String: Indicates the group. For the VLAN ID integer value, it is encoded as a string using
ASCII. For example, the VLAN ID integer value 103 would be represented as 0x313033
VLAN Authorization Considerations
VLAN Authorization poses some operational and management issues on the network.
• A VLAN is not a security container. It is a broadcast container and used to segment broadcast
traffic on the network. ACLs implemented at the layer 3 routed interface for a VLAN only
provide access control for traffic into and out of the VLAN. No access control mechanism for
intra-VLAN communications exists, therefore users within the VLAN are not protected from
each other. Malicious traffic allowed onto a VLAN can potentially infect all traffic on the
VLAN. Such an infection can consume valuable hardware resources on the infrastructure,
such as CPU cycles and memory. Infections can be transmitted to other hosts within the
VLAN and to the layer 3 routed boundary. This leads to the direct competition of malicious
traffic with business critical traffic on the network.
• End-To-End QoS cannot be truly guaranteed if QoS is implemented at the layer 3 routed
interface for a network where business critical applications are classified and prioritized.
• If VLANs are implemented to group together users that are members of the same
organizational group, then a VLAN must be configured everywhere in the network topology
where a member of that organizational unit may connect to the network. For example, if an
engineer may connect to the network from any location, then the Engineering VLAN must be
configured on all access layer devices in the network. These VLAN configurations lead to
over-extended broadcast domains as well as added configuration complexity in the network
topology.
• A problem with moving an end system to a new VLAN is that the end system must be issued
an IP address on the new VLAN’s subnet to which it has become a member. If the end system
does not yet have an IP address, this is not usually a problem. However, if the end system has
an IP address, the lease of the address must time out before it attempts to obtain a new
address, which may take some time. The IP address assignment process, implemented by
DHCP, and the authentication process are not conjoined on the end system. Therefore, this
leads to end systems possessing an invalid IP address after dynamic VLAN Authorization and
lost IP connectivity until its current IP address times out. Furthermore, when a new IP address
is eventually assigned to the end system, IP connectivity is disrupted for all applications on
the end system.
Policy Maptable Response
The policy maptable response, or conflict resolution, feature allows you to define how the system
should handle allowing an authenticated user onto a port based on the contents of the RADIUS
Accept message reply. There are three possible response settings: tunnel mode, policy mode, or
both tunnel and policy, also known as hybrid authentication mode.
To Next Page
Loading...
Need help?
General