If an authentication method that requires communication with an authentication server is configured for a user, the RADIUS filter-ID attribute can be used to dynamically assign a policy role to the authenticating user. Supported RADIUS attributes are sent to the switch in the RADIUS access-accept message. The RADIUS filter-ID can also be applied in hybrid authentication mode. Hybrid authentication mode determines how the RADIUS filter-ID and the three RFC 3580 VLAN tunnel attributes (VLAN Authorization), when either or all are included in the RADIUS access-accept message, will be handled by the switch. The three VLAN tunnel attributes define the base VLAN-ID to be applied to the user. In either case, conflict resolution between RADIUS attributes is provided by the maptable response feature.
Note
VLAN-to-policy mapping to maptable response configuration behavior is as follows:See the Policy Maptable Response for a detailed RADIUS response discussion.
Please see for a discussion of RADIUS configuration, the RADIUS filter-ID, and VLAN authorization.
Use the policy option of the set policy maptable response command to configure the switch to dynamically assign a policy using the RADIUS filter-ID in the RADIUS response message.
The following example specifies that the RADIUS filter-ID, if it is present in the RADIUS response message when a user authenticates, should be used to apply the specified policy to the user:
System(rw)->set policy maptable response policy