How Radius Data Is Used; The Radius Filter-Id; Rfc 3580 - Vlan Authorization - Enterasys C5G124-24 Configuration Manual

User Authentication Overview
password configured on the switch to the authentication server. The authentication server verifies
the credentials and returns an Accept or Reject message back to the switch.

How RADIUS Data Is Used

The Enterasys switch bases its decision to open the port and apply a policy or close the port based
on the RADIUS message, the port's default policy, and unauthenticated behavior configuration.
RADIUS provides accounting functionality by way of accounting packets from the switch to the
RADIUS server, for such session statistics as start and end, total packets, and session end reason
events. This data can be used for both billing and network monitoring purposes.
Additionally RADIUS is widely used by VoIP service providers. It is used to pass login credentials
of a SIP end point (like a broadband phone) to a SIP Registrar using digest authentication, and
then to the authentication server using RADIUS. Sometimes it is also used to collect call detail
records (CDRs) later used, for instance, to bill customers for international long distance.
If you configure an authentication method that requires communication with an authentication
server, you can use the RADIUS Filter-ID attribute to dynamically assign either a policy profile or
management level to authenticating supplicants.

The RADIUS Filter-ID

The RADIUS Filter-ID attribute consists of a string that is formatted in the RADIUS Access-Accept
packet sent back from the authentication server to the switch during the authentication process.
Each user can be configured in the RADIUS server database with a RADIUS Filter-ID attribute
that specifies the name of either a policy profile or management level the user should be assigned
upon successful authentication. During the authentication process, when the authentication server
returns a RADIUS Access-Accept packet that includes a Filter-ID matching a policy profile name
configured on the switch, the switch then dynamically applies the policy profile to the physical
port the supplicant is authenticating on.
The decorated Filter-ID supports a policy attribute, a management access attribute, or both in the
following formats:
Enterasys:version=1:policy=policyname
Enterasys:version=1:mgmt=access-mgmtType
Enterasys:version=1:mgmt=access-mgmtType:policy=policyname
policyname is the name of the policy to apply to this authentication.
access-mgmtTypes supported are: ro (read-only), rw (read-write), and su (super-user).
The undecorated Filter-ID supports the policy attribute only in the following format:
policyname
The undecorated format is simply a string that specifies a policy profile name. The undecorated
format cannot be used for management access authentication. Decorated Filter-IDs are processed
first. If no decorated Filter-IDs are found, then undecorated Filter-IDs are processed. If multiple
Filter-IDs are found that contain conflicting values, a Syslog message is generated.
RFC 3580 — VLAN Authorization
Enterasys switches support the RFC 3580 RADIUS tunnel attribute for dynamic VLAN
assignment. The VLAN-Tunnel-Attribute implements the provisioning of service in response to a
successful authentication. On ports that do not support policy, the packet will be tagged with the
VLAN-ID. The VLAN-Tunnel-Attribute defines the base VLAN-ID to be applied to the user.
10-8 Configuring User Authentication