Applying Policy Using Hybrid Authentication Mode
Hybrid authentication is an authentication capability that allows the switch
to use both the filter-ID and tunnel attributes in the RADIUS response message to determine how
to treat the authenticating user. Hybrid authentication is configured by specifying the
both option in the
configure policy maptable response command. The both
option:
- Applies the VLAN tunnel attributes if they exist and the filter-ID
attribute does not
- Applies the filter-ID attribute if it exists and the VLAN tunnel
attributes do not
- Applies both the filter-ID and the VLAN tunnel attributes if all
attributes exist
If all attributes exist, the following rules apply:
- The policy role will be enforced, with the exception that any port
PVID specified in the role will be replaced with the VLAN tunnel attributes
- The policy map is ignored because the policy role is explicitly
assigned
- VLAN classification rules are assigned as defined by the policy role
vlanauthorization must be enabled or the VLAN tunnel attributes are ignored and the
default VLAN is used. Please see the
Configuring User
Authentication feature guide located at
http://documentation.extremenetworks.com for a complete VLAN Authorization discussion.
Hybrid Mode support eliminates the dependency of VLAN assignment based on
roles. As a result, VLANs can be assigned via the tunnel-private-group-ID, as defined per
RFC3580, while assigning roles via the filter-ID. This separation gives administrators more
flexibility to segment their networks for efficiency beyond the role limits.