Enterasys Matrix 2G4072-52 - RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

Enterasys Matrix 2G4072-52

1422 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Overview of Security Methods

RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment

Matrix DFE-Platinum and Diamond Series Configuration Guide 14-3

14.1.1 RADIUS Filter-ID Attribute and Dynamic Policy Profile

Assignment

If you configure an authentication method that requires communication with a RADIUS server, you

can use the RADIUS Filter-ID attribute to dynamically assign a policy profile and/or management

level to authenticating users and/or devices.

The RADIUS Filter-ID attribute is simply a string that is formatted in the RADIUS Access-Accept

packet sent back from the RADIUS server to the switch during the authentication process.

Each user can be configured in the RADIUS server database with a RADIUS Filter-ID attribute that

specifies the name of the policy profile and/or management level the user should be assigned upon

successful authentication. During the authentication process, when the RADIUS server returns a

RADIUS Access-Accept message that includes a Filter-ID matching a policy profile name

configured on the switch, the switch then dynamically applies the policy profile to the physical port

the user/device is authenticating on.

Filter-ID Attribute Formats

Enterasys Networks supports two Filter-ID formats — “decorated” and “undecorated.” The

decorated format has three forms:

• To specify the policy profile to assign to the authenticating user (network access authentication):

Enterasys:version=1:policy=string

where string specifies the policy profile name. Policy profile names are case-sensitive.

• To specify a management level (management access authentication):

Enterasys:version=1:mgmt=level

where level indicates the management level, either ro, rw, or su.

• To specify both management level and policy profile:

Enterasys:version=1:mgmt=level:policy=string

The undecorated format is simply a string that specifies a policy profile name. The undecorated

format cannot be used for management access authentication.

Decorated Filter-IDs are processed first. If no decorated Filter-IDs are found, then undecorated

Filter-IDs are processed. If multiple Filter-IDs are found that contain conflicting values, a Syslog

message is generated.

Table of Contents

Related product manuals

Preview: Enterasys Matrix-V V2H124-24

Enterasys Matrix-V V2H124-24

Preview: Enterasys Matrix E1 1H582-51

Enterasys Matrix E1 1H582-51

Enterasys Matrix E1 1G694-13

Preview: Enterasys C3G124-24

Enterasys C3G124-24

Preview: Enterasys B5G124-24

Enterasys B5G124-24

Preview: Enterasys B5G124-24P2

Enterasys B5G124-24P2

Preview: Enterasys A4H124-24FX

Enterasys A4H124-24FX

Enterasys A4H254-8F8T

Preview: Enterasys SecureStack C2

Enterasys SecureStack C2

Enterasys SSA-G1018-0652

Preview: SecureStack A2 A2H124-24

SecureStack A2 A2H124-24

Preview: SecureStack B2 B2G124-48P

SecureStack B2 B2G124-48P