Black Box LPB2910A User Manual page 82

RADIUS-­‐Assigned Q oS E nabled :

When RADIUS-­‐Assigned QoS is both globally enabled and enabled (checked) on a given port, the
switch reacts to QoS Class information carried in the RADIUS Access-­‐Accept packet transmitted by
the RADIUS server when a supplicant is successfully authenticated. If present and valid, traffic
received o n t he s upplicant's p ort w ill b e c lassified t o t he g iven Q oS C lass. I f ( re-­‐)authentication f ails
or t he R ADIUS A ccess-­‐Accept p acket n o l onger c arries a Q oS C lass o r i t's i nvalid, o r t he s upplicant i s
otherwise no longer present on the port, the port's QoS Class immediately reverts to the original
QoS Class (this may be changed by the administrator in the meanwhile without affecting the
RADIUS-­‐assigned).
This o ption i s o nly a vailable f or s ingle-­‐client m odes, i .e.
• P ort-­‐based 8 02.1X
• S ingle 8 02.1X
RADIUS a ttributes u sed i n i dentifying a Q oS C lass:
Refer to the written documentation for a description of the RADIUS attributes needed in order to
successfully identify a QoS Class. The User-­‐Priority-­‐Table attribute defined in RFC4675 forms the
basis f or i dentifying t he Q oS C lass i n a n A ccess-­‐Accept p acket.
Only the first occurrence of the attribute in the packet will be considered, and to be valid, it must
follow t his r ule:
• A ll 8 o ctets i n t he a ttribute's v alue m ust b e i dentical a nd c onsist o f A SCII c haracters i n t he r ange
"0"-­‐ " 3", w hich t ranslates i nto t he d esired Q oS C lass i n t he r ange 0 –3.
RADIUS-­‐Assigned V LAN E nabled:

When RADIUS-­‐Assigned VLAN is both globally enabled and enabled (checked) for a given port, the
switch reacts to VLAN ID information carried in the RADIUS Access-­‐Accept packet transmitted by
the RADIUS server when a supplicant is successfully authenticated. If present and valid, the port's
Port V LAN I D w ill b e c hanged t o t his V LAN I D, t he p ort w ill b e s et t o b e a m ember o f t hat V LAN I D,
and t he p ort w ill b e f orced i nto V LAN u naware m ode. O nce a ssigned, a ll t raffic a rriving o n t he p ort
will b e c lassified a nd s witched o n t he R ADIUS-­‐assigned V LAN I D.
If (re-­‐)authentication fails or the RADIUS Access-­‐Accept packet no longer carries a VLAN ID or it's
invalid, or the supplicant is otherwise no longer present on the port, the port's VLAN ID
immediately reverts to the original VLAN ID (this may be changed by the administrator in the
meantime w ithout a ffecting t he R ADIUS-­‐assigned).
This o ption i s o nly a vailable f or s ingle-­‐client m odes, i .e.
• P ort-­‐based 8 02.1X
• S ingle 8 02.1X
For troubleshooting VLAN assignments, use the "Monitor→VLANs→VLAN Membership and VLAN
Port" pages. These pages show which modules have (temporarily) overridden the current Port
VLAN c onfiguration.
RADIUS a ttributes u sed i n i dentifying a V LAN I D:
RFC2868 and RFC3580 form the basis for the attributes used in identifying a VLAN ID in an
Access-­‐Accept p acket. T he f ollowing c riteria a re u sed:
• The Tunnel-­‐Medium-­‐Type, Tunnel-­‐Type, and Tunnel-­‐Private-­‐Group-­‐ID attributes must all be
present a t l east o nce i n t he A ccess-­‐Accept p acket.
• The switch looks for the first set of these attributes that have the same Tag value and fulfill the
following r equirements ( if T ag = 0 i s u sed, t he T unnel-­‐Private-­‐Group-­‐ID d oes n ot n eed t o i nclude a
Tag):
-­‐ V alue o f T unnel-­‐Medium-­‐Type m ust b e s et t o " IEEE-­‐802" ( ordinal 6 ).
-­‐ V alue o f T unnel-­‐Type m ust b e s et t o " VLAN" ( ordinal 1 3).
-­‐ Value of Tunnel-­‐Private-­‐Group-­‐ID must be a string of ASCII chars in the range '0' -­‐ '9', which is
interpreted a s a d ecimal s tring r epresenting t he V LAN I D. L eading ' 0's a re d iscarded. T he f inal v alue
must b e i n t he r ange 1 –4095.
70
Publication date: Sept, 2015
Revision A1