Hybrid authentication is an authentication capability that allows the switch to use both the filter-ID and tunnel attributes in the RADIUS response message to determine how to treat the authenticating user.
Hybrid authentication is configured by specifying the both option in the set policy maptable response command. The both option:
If all attributes exist, the following rules apply:
vlanauthorization must be enabled or the VLAN tunnel attributes are ignored and the default VLAN is used. Please see Configuring VLAN Authorization for a complete VLAN Authorization discussion.
Hybrid Mode support eliminates the dependency of VLAN assignment based on roles. As a result, VLANs can be assigned via the tunnel-private-group-ID, as defined per RFC3580, while assigning roles via the filter-ID. This separation gives administrators more flexibility to segment their networks for efficiency beyond the role limits associated with the B3, C3, and G3 platforms.
The following example specifies that either or both the vlan-tunnel and filter-ID attributes can be included in the RADIUS response message:
System(rw)->set policy maptable response both