Print
this page
Email this topic
Feedback
View PDF
Download EPUBApplying Policy Using Hybrid Authentication Mode
Hybrid authentication is an authentication capability that allows the switch
to use both the filter-ID and tunnel attributes in the RADIUS response message to determine how
to treat the authenticating user. Hybrid authentication is configured by specifying the both option in the configure policy maptable response command. The both
option:
- Applies the VLAN tunnel attributes if they exist and the filter-ID attribute does not exist
- Applies the filter-ID attribute if it exists and the VLAN tunnel attributes do not exist
- Applies both the filter-ID and the VLAN tunnel attributes if all
attributes exist If all attributes exist, the following rules apply:
- The policy role will be enforced, with the exception that any port PVID specified in the role will be replaced with the VLAN tunnel attributes
- The policy map is ignored because the policy role is explicitly assigned
- VLAN classification rules are assigned as defined by the policy role
vlanauthorization must be enabled or the VLAN tunnel attributes are ignored and the default VLAN is used.
Hybrid Mode support eliminates the dependency of VLAN assignment based on roles. As a result, VLANs can be assigned via the tunnel-private-group-ID, as defined per RFC3580, while assigning roles via the filter-ID. This separation gives administrators more flexibility to segment their networks for efficiency beyond the role limits.