The second policy role, for the user, can either be statically configured with the default policy role
on the port or dynamically assigned through authentication to the network (using a RADIUS
Filter‐ID). When the default policy role is assigned on a port, the VLAN set as the portʹs PVID is
mapped to the default policy role. When a policy role is dynamically applied to a user as the result
of a successfully authenticated session, the "authenticated VLAN" is mapped to the policy role set
in the Filter‐ID returned from the RADIUS server. The "authenticated VLAN" may either be the
PVID of the port, if the PVID Override for the policy profile is disabled, or the VLAN specified in
the PVID Override if the PVID Override is enabled.
Configuring VLAN Authorization (RFC 3580)
Purpose
RFC 3580 Tunnel Attributes provide a mechanism to contain an 802.1X, MAC, or PWA
authenticated user to a VLAN regardless of the PVID. This is referred to as dynamic VLAN
assignment.
Please see section 3‐31 of RFC 3580 for details on configuring a RADIUS server to return the
desired tunnel attributes. As stated in RFC 3580, "... it may be desirable to allow a port to be placed
into a particular Virtual LAN (VLAN), defined in [IEEE8021Q], based on the result of the
authentication."
The RADIUS server typically indicates the desired VLAN by including tunnel attributes within its
Access‐Accept parameters. However, the IEEE 802.1X or MAC authenticator can also be
configured to instruct the VLAN to be assigned to the supplicant by including tunnel attributes
within Access‐Request parameters.
The following tunnel attributes are used in VLAN authorization assignment:
•
Tunnel‐Type ‐ VLAN (13)
•
Tunnel‐Medium‐Type ‐ 802
•
Tunnel‐Private‐Group‐ID ‐ VLANID
In order to authenticate RFC 3580 users, policy maptable response must be set to tunnel as
described in "Configuring Policy Maptable Response" on page 26‐52.
Commands
For information about...
set vlanauthorization
set vlanauthorization egress
clear vlanauthorization
show vlanauthorization
Note: A policy license, if applicable, is not required to deploy RFC 3580 dynamic VLAN
assignment.
Configuring VLAN Authorization (RFC 3580)
Refer to page...
26-50
26-50
26-51
26-51
SecureStack C3 Configuration Guide 26-49