RADIUS-‐Assigned
Q oS
E nabled
:
When
RADIUS-‐Assigned
QoS
is
both
globally
enabled
and
enabled
(checked)
on
a
given
port,
the
switch
reacts
to
QoS
Class
information
carried
in
the
RADIUS
Access-‐Accept
packet
transmitted
by
the
RADIUS
server
when
a
supplicant
is
successfully
authenticated.
If
present
and
valid,
traffic
received
o n
t he
s upplicant's
p ort
w ill
b e
c lassified
t o
t he
g iven
Q oS
C lass.
I f
( re-‐)authentication
f ails
or
t he
R ADIUS
A ccess-‐Accept
p acket
n o
l onger
c arries
a
Q oS
C lass
o r
i t's
i nvalid,
o r
t he
s upplicant
i s
otherwise
no
longer
present
on
the
port,
the
port's
QoS
Class
immediately
reverts
to
the
original
QoS
Class
(this
may
be
changed
by
the
administrator
in
the
meanwhile
without
affecting
the
RADIUS-‐assigned).
This
o ption
i s
o nly
a vailable
f or
s ingle-‐client
m odes,
i .e.
•
P ort-‐based
8 02.1X
•
S ingle
8 02.1X
RADIUS
a ttributes
u sed
i n
i dentifying
a
Q oS
C lass:
Refer
to
the
written
documentation
for
a
description
of
the
RADIUS
attributes
needed
in
order
to
successfully
identify
a
QoS
Class.
The
User-‐Priority-‐Table
attribute
defined
in
RFC4675
forms
the
basis
f or
i dentifying
t he
Q oS
C lass
i n
a n
A ccess-‐Accept
p acket.
Only
the
first
occurrence
of
the
attribute
in
the
packet
will
be
considered,
and
to
be
valid,
it
must
follow
t his
r ule:
•
A ll
8
o ctets
i n
t he
a ttribute's
v alue
m ust
b e
i dentical
a nd
c onsist
o f
A SCII
c haracters
i n
t he
r ange
"0"-‐
" 3",
w hich
t ranslates
i nto
t he
d esired
Q oS
C lass
i n
t he
r ange
0 –3.
RADIUS-‐Assigned
V LAN
E nabled:
When
RADIUS-‐Assigned
VLAN
is
both
globally
enabled
and
enabled
(checked)
for
a
given
port,
the
switch
reacts
to
VLAN
ID
information
carried
in
the
RADIUS
Access-‐Accept
packet
transmitted
by
the
RADIUS
server
when
a
supplicant
is
successfully
authenticated.
If
present
and
valid,
the
port's
Port
V LAN
I D
w ill
b e
c hanged
t o
t his
V LAN
I D,
t he
p ort
w ill
b e
s et
t o
b e
a
m ember
o f
t hat
V LAN
I D,
and
t he
p ort
w ill
b e
f orced
i nto
V LAN
u naware
m ode.
O nce
a ssigned,
a ll
t raffic
a rriving
o n
t he
p ort
will
b e
c lassified
a nd
s witched
o n
t he
R ADIUS-‐assigned
V LAN
I D.
If
(re-‐)authentication
fails
or
the
RADIUS
Access-‐Accept
packet
no
longer
carries
a
VLAN
ID
or
it's
invalid,
or
the
supplicant
is
otherwise
no
longer
present
on
the
port,
the
port's
VLAN
ID
immediately
reverts
to
the
original
VLAN
ID
(this
may
be
changed
by
the
administrator
in
the
meantime
w ithout
a ffecting
t he
R ADIUS-‐assigned).
This
o ption
i s
o nly
a vailable
f or
s ingle-‐client
m odes,
i .e.
•
P ort-‐based
8 02.1X
•
S ingle
8 02.1X
For
troubleshooting
VLAN
assignments,
use
the
"Monitor→VLANs→VLAN
Membership
and
VLAN
Port"
pages.
These
pages
show
which
modules
have
(temporarily)
overridden
the
current
Port
VLAN
c onfiguration.
RADIUS
a ttributes
u sed
i n
i dentifying
a
V LAN
I D:
RFC2868
and
RFC3580
form
the
basis
for
the
attributes
used
in
identifying
a
VLAN
ID
in
an
Access-‐Accept
p acket.
T he
f ollowing
c riteria
a re
u sed:
•
The
Tunnel-‐Medium-‐Type,
Tunnel-‐Type,
and
Tunnel-‐Private-‐Group-‐ID
attributes
must
all
be
present
a t
l east
o nce
i n
t he
A ccess-‐Accept
p acket.
•
The
switch
looks
for
the
first
set
of
these
attributes
that
have
the
same
Tag
value
and
fulfill
the
following
r equirements
( if
T ag
=
0
i s
u sed,
t he
T unnel-‐Private-‐Group-‐ID
d oes
n ot
n eed
t o
i nclude
a
Tag):
-‐
V alue
o f
T unnel-‐Medium-‐Type
m ust
b e
s et
t o
" IEEE-‐802"
( ordinal
6 ).
-‐
V alue
o f
T unnel-‐Type
m ust
b e
s et
t o
" VLAN"
( ordinal
1 3).
-‐
Value
of
Tunnel-‐Private-‐Group-‐ID
must
be
a
string
of
ASCII
chars
in
the
range
'0'
-‐
'9',
which
is
interpreted
a s
a
d ecimal
s tring
r epresenting
t he
V LAN
I D.
L eading
' 0's
a re
d iscarded.
T he
f inal
v alue
must
b e
i n
t he
r ange
1 –4095.
70
Publication date: Sept, 2015
Revision A1