Enterasys Networks 9034313-07 Operational Description, When Policy Maptable Response is Both

Configuring Policy Maptable Response

When the maptable response is set to policy mode, the system will use the Filter‐ID attributes in the RADIUS reply to apply a policy to the authenticating user and will ignore any tunnel attributes in the RADIUS reply. On this platform, when policy mode is configured, no VLAN‐to‐ policy mapping will occur.

When the maptable response is set to both, or hybrid authentication mode, both Filter‐ID attributes (dynamic policy assignment) and tunnel attributes (dynamic VLAN assignment) sent in RADIUS server Access‐Accept replies are used to determine how the switch should handle authenticating users. On this platform, when hybrid authentication mode is configured, VLAN‐to‐ policy mapping can occur, as described below in “When Policy Maptable Response is “Both”” on page 26‐53.

Using hybrid authentication mode eliminates the dependency on having to assign VLANs through policy roles — VLANs can be assigned by means of the tunnel attributes while policy roles can be assigned by means of the Filter‐ID attributes. Alternatively, VLAN‐to‐policy mapping can be used to map policies to users using the VLAN specified by the tunnel attributes, without having to configure Filter‐ID attributes on the RADIUS server. This separation gives administrators more flexibility in segmenting their networks beyond the platform’s hardware policy role limits.

Refer to “RADIUS Filter‐ID Attribute and Dynamic Policy Profile Assignment” on page 26‐3 for more information about Filter‐ID attributes and “Configuring VLAN Authorization (RFC 3580)” on page 26‐49 for more information about tunnel attributes.

Operational Description

When Policy Maptable Response is “Both”

Hybrid authentication mode uses both Filter‐ID attributes and tunnel attributes. To enable hybrid authentication mode, use the set policy maptable command and set the response parameter to both. When configured to use both sets of attributes:

•If both the Filter‐ID and tunnel attributes are present in the RADIUS reply, then the policy profile specified by the Filter‐ID is applied to the authenticating user, and if VLAN authorization is enabled globally and on the authenticating user’s port, the VLAN specified by the tunnel attributes is applied to the authenticating user.

If VLAN authorization is not enabled, the VLAN specified by the policy profile is applied. See “Configuring VLAN Authorization (RFC 3580)” on page 26‐49 for information about enabling VLAN authorization globally and on specific ports.

•If the Filter‐ID attributes are present but the tunnel attributes are not present, the policy profile specified by the Filter‐ID is applied, along with the VLAN specified by the policy profile.

•If the tunnel attributes are present but the Filter‐ID attributes are not present or are invalid, and if VLAN authorization is enabled globally and on the authenticating user’s port, then the switch will check the VLAN‐to‐policy mapping table (configured with the set policy maptable command):

–If an entry mapping the received VLAN ID to a valid policy profile is found, then that policy profile, along with the VLAN specified by the policy profile, will be applied to the authenticating user.

–If no matching mapping table entry is found, the VLAN specified by the tunnel attributes will be applied to the authenticating user.

–If the VLAN‐to‐policy mapping table is invalid, then the etsysPolicyRFC3580MapInvalidMapping MIB is incremented and the VLAN specified by the tunnel attributes will be applied to the authenticating user.

SecureStack C3 Configuration Guide 26-53