Enterasys C5G124-24 Configuration Manual page 151

When the maptable response is set to tunnel mode, the system will use the tunnel attributes in the
RADIUS reply to apply a VLAN to the authenticating user and will ignore any Filter-ID attributes
in the RADIUS reply. When tunnel mode is configured, VLAN-to-policy mapping will not occur
on a stackable fixed switch or standalone fixed switch platform.
When the maptable response is set to policy mode, the system will use the Filter-ID attributes in
the RADIUS reply to apply a policy to the authenticating user and will ignore any tunnel
attributes in the RADIUS reply. When policy mode is configured, no VLAN-to-policy mapping
will occur.
When the maptable response is set to both, or hybrid authentication mode, both Filter-ID
attributes (dynamic policy assignment) and tunnel attributes (dynamic VLAN assignment) sent in
RADIUS Accept message replies are used to determine how the switch should handle
authenticating users. When hybrid authentication mode is configured, VLAN-to-policy mapping
can occur, as described below in
Note: Hybrid authentication is supported on B-Series and C-Series stackable fixed switches and
the G-Series standalone switches for Releases 6.3 and greater, and on A4 and I-Series for Release
6.61 and greater.
Using hybrid authentication mode eliminates the dependency on having to assign VLANs
through policy roles — VLANs can be assigned by means of the tunnel attributes while policy
roles can be assigned by means of the Filter-ID attributes. Alternatively, VLAN-to-policy mapping
can be used to map policies to users using the VLAN specified by the tunnel attributes, without
having to configure Filter-ID attributes on the RADIUS server. This separation gives
administrators more flexibility in segmenting their networks beyond the platform's policy role
limits.
When Policy Maptable Response is "Both"
Hybrid authentication mode uses both Filter-ID attributes and tunnel attributes. To enable hybrid
authentication mode, use the set policy maptable command and set the response parameter to
both. When configured to use both sets of attributes:
• If both the Filter-ID and tunnel attributes are present in the RADIUS reply, then the policy
profile specified by the Filter-ID is applied to the authenticating user, and if VLAN
authorization is enabled globally and on the authenticating user's port, the VLAN specified by
the tunnel attributes is applied to the authenticating user.
If VLAN authorization is not enabled, the VLAN specified by the policy profile is applied. See
"RFC 3580 — VLAN
• If the Filter-ID attributes are present but the tunnel attributes are not present, the policy
profile specified by the Filter-ID is applied, along with the VLAN specified by the policy
profile.
• If the tunnel attributes are present but the Filter-ID attributes are not present, and if VLAN
authorization is enabled globally and on the authenticating user's port, then the switch will
check the VLAN-to-policy mapping table (configured with the set policy maptable
command):
– If an entry mapping the received VLAN ID to a policy profile is found, then that policy
profile, along with the VLAN specified by the policy profile, will be applied to the
authenticating user.
– If no matching mapping table entry is found, the VLAN specified by the tunnel attributes
will be applied to the authenticating user.
– If the VLAN-to-policy mapping table is invalid, then the
etsysPolicyRFC3580MapInvalidMapping MIB is incremented and the VLAN specified by
the tunnel attributes will be applied to the authenticating user.
When Policy Maptable Response is
Authorization" on page 10-8 for information about VLAN authorization.
User Authentication Overview
"Both".
Fixed Switch Configuration Guide 10-11