Applying Policy Using the RADIUS Response Attributes

If an authentication method that requires communication with an authentication server is configured for a user, the RADIUS (Remote Authentication Dial In User Service) filter-ID attribute can be used to dynamically assign a policy role to the authenticating user. Supported RADIUS attributes are sent to the switch in the RADIUS access-accept message. The RADIUS filter-ID can also be applied in hybrid authentication mode. Hybrid authentication mode determines how the RADIUS filter-ID and the three RFC 3580 VLAN (Virtual LAN) tunnel attributes (VLAN Authorization), when either or all are included in the RADIUS access-accept message, will be handled by the switch. The three VLAN tunnel attributes define the base VLAN-ID to be applied to the user. In either case, conflict resolution between RADIUS attributes is provided by the maptable response feature.
Note

Note

The maptable response feature is only applicable if VLAN Authorization is enabled (configure policy vlanauthorization enable).
Note

Note

VLAN-to-policy mapping to maptable response configuration behavior is as follows:
  • If the RADIUS response is set to policy, any VLAN-to-policy maptable configuration is ignored for all platforms.
  • If the RADIUS response is set to both and both the filter-ID and tunnel attributes are present, VLAN-to-policy mapping configuration is ignored. See the “When Policy Maptable Response is Both” section of the Configuring User Authentication feature guide for exceptions to this behavior.

Use the policy option of the configure policy maptable response command to configure the switch to dynamically assign a policy using the RADIUS filter-ID in the RADIUS response message.