Applying Policy Using the RADIUS Response Attributes

If an authentication method that requires communication with an authentication server is configured for a user, the RADIUS filter-ID attribute can be used to dynamically assign a policy role to the authenticating user. Supported RADIUS attributes are sent to the switch in the RADIUS access-accept message. The RADIUS filter-ID can also be applied in hybrid authentication mode. Hybrid authentication mode determines how the RADIUS filter-ID and the three RFC 3580 VLAN tunnel attributes (VLAN Authorization), when either or all are included in the RADIUS access-accept message, will be handled by the switch. The three VLAN tunnel attributes define the base VLAN-ID to be applied to the user. In either case, conflict resolution between RADIUS attributes is provided by the maptable response feature.

Note

Note

VLAN-to-policy mapping to maptable response configuration behavior is as follows:
  • If the RADIUS response is set to policy, any VLAN-to-policy maptable configuration is ignored for all platforms.
  • If the RADIUS response is set to tunnel, VLAN-to-policy mapping can occur on an S- K- and 7100-Series platform.
  • If the RADIUS response is set to both and both the filter-ID and tunnel attributes are present, VLAN-to-policy mapping configuration is ignored.

See the Policy Maptable Response for a detailed RADIUS response discussion.

Please see for a discussion of RADIUS configuration, the RADIUS filter-ID, and VLAN authorization.

Use the policy option of the set policy maptable response command to configure the switch to dynamically assign a policy using the RADIUS filter-ID in the RADIUS response message.

The following example specifies that the RADIUS filter-ID, if it is present in the RADIUS response message when a user authenticates, should be used to apply the specified policy to the user:

System(rw)->set policy maptable response policy