Applying Policy Using Hybrid Authentication Mode

Hybrid authentication is an authentication capability that allows the switch to use both the filter-ID and tunnel attributes in the RADIUS response message to determine how to treat the authenticating user.

Hybrid authentication is configured by specifying the both option in the set policy maptable response command. The both option:

• Applies the VLAN tunnel attributes if they exist and the filter-ID attribute does not
• Applies the filter-ID attribute if it exists and the VLAN tunnel attributes do not
• Applies both the filter-ID and the VLAN tunnel attributes if all attributes exist

If all attributes exist, the following rules apply:

• The policy role will be enforced, with the exception that any port PVID specified in the role will be replaced with the VLAN tunnel attributes
• The policy map is ignored because the policy role is explicitly assigned
• VLAN classification rules are assigned as defined by the policy role

vlanauthorization must be enabled or the VLAN tunnel attributes are ignored and the default VLAN is used. Please see Configuring VLAN Authorization for a complete VLAN Authorization discussion.

Hybrid Mode support eliminates the dependency of VLAN assignment based on roles. As a result, VLANs can be assigned via the tunnel-private-group-ID, as defined per RFC3580, while assigning roles via the filter-ID. This separation gives administrators more flexibility to segment their networks for efficiency beyond the role limits associated with the B3, C3, and G3 platforms.

The following example specifies that either or both the vlan-tunnel and filter-ID attributes can be included in the RADIUS response message:

System(rw)->set policy maptable response both