Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

Applying Policy Using Hybrid Authentication Mode

Hybrid authentication is an authentication capability that allows the switch to use both the filter-ID and tunnel attributes in the RADIUS (Remote Authentication Dial In User Service) response message to determine how to treat the authenticating user. Hybrid authentication is configured by specifying the both option in the configure policy maptable response command. The both option:
  • Applies the VLAN (Virtual LAN) tunnel attributes if they exist and the filter-ID attribute does not exist
  • Applies the filter-ID attribute if it exists and the VLAN tunnel attributes do not exist
  • Applies both the filter-ID and the VLAN tunnel attributes if all attributes exist
    If all attributes exist, the following rules apply:
    • The policy role will be enforced, with the exception that any port PVID specified in the role will be replaced with the VLAN tunnel attributes
    • The policy map is ignored because the policy role is explicitly assigned
    • VLAN classification rules are assigned as defined by the policy role

vlanauthorization must be enabled or the VLAN tunnel attributes are ignored and the default VLAN is used.

When policy maptable response is set to both and only Tunnel ID is returned from RADIUS server, tunnel ID takes precedence and FDB is learned on Tunnel ID if policy maptable is not configured on the switch. If policy maptable is configured, then the policy profile assigned to that VLAN ID takes precedence and FDB is learned on policy profile PVID and not VLAN tunnel ID if invalid action is set to default-policy/drop.

For example: 
configure policy profile 60 name test pvid 2 pvid-status enable
configure policy maptable 1234 60
From RADIUS VLAN tunnel ID 1234 exclusively is sent. Now FDB after successful authentication is learned on PVID 2 and not on 1234.

Hybrid Mode support eliminates the dependency of VLAN assignment based on roles. As a result, VLANs can be assigned via the tunnel-private-group-ID, as defined per RFC3580, while assigning roles via the filter-ID. This separation gives administrators more flexibility to segment their networks for efficiency beyond the role limits.

Published March 2020prev | next

Email this topicEmail this topic

Print this pagePrint this page