Applying Policy Using the RADIUS Response Attributes
If an authentication method that requires communication with an
authentication server is configured for a user, the RADIUS filter-ID attribute can be used to
dynamically assign a policy role to the authenticating user. Supported RADIUS attributes are
sent to the switch in the RADIUS access-accept message. The RADIUS filter-ID can also be
applied in hybrid authentication mode. Hybrid authentication mode determines how the RADIUS
filter-ID and the three RFC 3580 VLAN tunnel attributes (VLAN Authorization), when either or
all are included in the RADIUS access-accept message, will be handled by the switch. The three
VLAN tunnel attributes define the base VLAN-ID to be applied to the user. In either case,
conflict resolution between RADIUS attributes is provided by the maptable response
feature.
Note
The maptable response feature is only applicable if VLAN Authorization is
enabled (
configure policy vlanauthorization enable).
Note
VLAN-to-policy mapping to maptable response configuration behavior is
as follows:
- If the RADIUS response is set to policy, any VLAN-to-policy
maptable configuration is ignored for all platforms.
- If the RADIUS response is set to tunnel, VLAN-to-policy mapping
can occur on a modular switch platform.
- If the RADIUS response is set to both and both the filter-ID and
tunnel attributes are present, VLAN-to-policy mapping configuration is ignored. See the
“When Policy Maptable Response is Both” section of the Configuring User Authentication
feature guide for exceptions to this behavior.
Use the policy option of the configure
policy maptable response command to configure the switch to dynamically assign a
policy using the RADIUS filter-ID in the RADIUS response message.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB