Applying Policy Using the RADIUS Response Attributes
If an authentication method that requires communication with an
authentication server is configured for a user, the
RADIUS filter-ID attribute can be used to
dynamically assign a policy role to the authenticating user. Supported RADIUS attributes are
sent to the switch in the RADIUS access-accept message. The RADIUS filter-ID can also be
applied in hybrid authentication mode. Hybrid authentication mode determines how the RADIUS
filter-ID and the three RFC 3580
VLAN tunnel attributes (VLAN
Authorization), when either or all are included in the RADIUS access-accept message, will be
handled by the switch. The three VLAN tunnel attributes define the base VLAN-ID to be applied
to the user. In either case, conflict resolution between RADIUS attributes is provided by the
maptable response feature.
Note
The maptable response feature is only
applicable if VLAN Authorization is enabled (
configure
policy vlanauthorization enable).
Note
VLAN-to-policy
mapping to maptable response configuration behavior is as follows:
- If the RADIUS response is set to policy, any VLAN-to-policy
maptable configuration is ignored for all platforms.
- If the RADIUS response is set to both and both the filter-ID and
tunnel attributes are present, VLAN-to-policy mapping configuration is ignored. See the
“When Policy Maptable Response is Both” section of the Configuring User Authentication
feature guide for exceptions to this behavior.
Use the policy option of the configure
policy maptable response command to configure the switch to dynamically assign a
policy using the RADIUS filter-ID in the RADIUS response message.
Supported Access-Accept Attributes for ONEPolicy
shows the RADIUS access-accept attributes for ONEPolicy that ExtremeXOS
supports.
Table 1. Supported Access-Accept Attributes for ONEPolicy
| Access-Accept Attribute |
Description |
Notes |
| Filter-Id |
Policy Profile Name |
|
| Tunnel-Medium-Type |
IEEE-802 |
Must be present when using Tunnel-Private-Group-Id. |
| Tunnel-Type |
VLAN |
Must be present when using Tunnel-Private-Group-Id. |
| Tunnel-Private-Group-Id |
Tunnel-ID |
Can be a VLAN tag or the pre-configured tagged VLAN name (string). |
| Session-Timeout |
Numbers in seconds |
‘0‘ if it is not present. |
| Idle-Timeout |
Numbers in seconds |
‘0‘ if it is not present. |
| Termination-action |
Default/Radius | 0/1 |
Default if it is not present. |
| Fabric-Attach-VLAN-ISID |
Tunnel-ID:4digitNSID+4digitTunnel-ID |
Example: 10:12010010. |
