Applying Policy Using Hybrid Authentication Mode

Hybrid authentication is an authentication capability that allows the switch to use both the filter-ID and tunnel attributes in the RADIUS response message to determine how to treat the authenticating user. Hybrid authentication is configured by specifying the both option in the configure policy maptable response command. The both option:
  • Applies the VLAN tunnel attributes if they exist and the filter-ID attribute does not exist
  • Applies the filter-ID attribute if it exists and the VLAN tunnel attributes do not exist
  • Applies both the filter-ID and the VLAN tunnel attributes if all attributes exist
    If all attributes exist, the following rules apply:
    • The policy role will be enforced, with the exception that any port PVID specified in the role will be replaced with the VLAN tunnel attributes
    • The policy map is ignored because the policy role is explicitly assigned
    • VLAN classification rules are assigned as defined by the policy role

vlanauthorization must be enabled or the VLAN tunnel attributes are ignored and the default VLAN is used.

Hybrid Mode support eliminates the dependency of VLAN assignment based on roles. As a result, VLANs can be assigned via the tunnel-private-group-ID, as defined per RFC3580, while assigning roles via the filter-ID. This separation gives administrators more flexibility to segment their networks for efficiency beyond the role limits.