Applying Policy Using the RADIUS Response Attributes

If an authentication method that requires communication with an authentication server is configured for a user, the RADIUS filter-ID attribute can be used to dynamically assign a policy role to the authenticating user. Supported RADIUS attributes are sent to the switch in the RADIUS access-accept message. The RADIUS filter-ID can also be applied in hybrid authentication mode. Hybrid authentication mode determines how the RADIUS filter-ID and the three RFC 3580 VLAN tunnel attributes (VLAN Authorization), when either or all are included in the RADIUS access-accept message, will be handled by the switch. The three VLAN tunnel attributes define the base VLAN-ID to be applied to the user. In either case, conflict resolution between RADIUS attributes is provided by the maptable response feature.
Note

Note

The maptable response feature is only applicable if VLAN Authorization is enabled (configure policy vlanauthorization enable).
Note

Note

VLAN-to-policy mapping to maptable response configuration behavior is as follows:
  • If the RADIUS response is set to policy, any VLAN-to-policy maptable configuration is ignored for all platforms.
  • If the RADIUS response is set to both and both the filter-ID and tunnel attributes are present, VLAN-to-policy mapping configuration is ignored. See the “When Policy Maptable Response is Both” section of the Configuring User Authentication feature guide for exceptions to this behavior.

Use the policy option of the configure policy maptable response command to configure the switch to dynamically assign a policy using the RADIUS filter-ID in the RADIUS response message.

Supported Access-Accept Attributes for ONEPolicy shows the RADIUS access-accept attributes for ONEPolicy that ExtremeXOS supports.

Table 1. Supported Access-Accept Attributes for ONEPolicy
Access-Accept Attribute Description Notes
Filter-Id Policy Profile Name
Tunnel-Medium-Type IEEE-802 Must be present when using Tunnel-Private-Group-Id.
Tunnel-Type VLAN Must be present when using Tunnel-Private-Group-Id.
Tunnel-Private-Group-Id Tunnel-ID Can be a VLAN tag or the pre-configured tagged VLAN name (string).
Session-Timeout Numbers in seconds ‘0‘ if it is not present.
Idle-Timeout Numbers in seconds ‘0‘ if it is not present.
Termination-action Default/Radius | 0/1 Default if it is not present.
Fabric-Attach-VLAN-ISID Tunnel-ID:4digitNSID+4digitTunnel-ID Example: 10:12010010.