Operational Description - Enterasys SECURESTACK C3 Configuration Manual

When the maptable response is set to policy mode, the system will use the Filter‐ID attributes in
the RADIUS reply to apply a policy to the authenticating user and will ignore any tunnel
attributes in the RADIUS reply. On this platform, when policy mode is configured, no VLAN‐to‐
policy mapping will occur.
When the maptable response is set to both, or hybrid authentication mode, both Filter‐ID
attributes (dynamic policy assignment) and tunnel attributes (dynamic VLAN assignment) sent in
RADIUS server Access‐Accept replies are used to determine how the switch should handle
authenticating users. On this platform, when hybrid authentication mode is configured, VLAN‐to‐
policy mapping can occur, as described below in "When Policy Maptable Response is "Both"" on
page 26‐53.
Using hybrid authentication mode eliminates the dependency on having to assign VLANs
through policy roles — VLANs can be assigned by means of the tunnel attributes while policy
roles can be assigned by means of the Filter‐ID attributes. Alternatively, VLAN‐to‐policy mapping
can be used to map policies to users using the VLAN specified by the tunnel attributes, without
having to configure Filter‐ID attributes on the RADIUS server. This separation gives
administrators more flexibility in segmenting their networks beyond the platform's hardware
policy role limits.
Refer to "RADIUS Filter‐ID Attribute and Dynamic Policy Profile Assignment" on page 26‐3 for
more information about Filter‐ID attributes and "Configuring VLAN Authorization (RFC 3580)"
on page 26‐49 for more information about tunnel attributes.

Operational Description

When Policy Maptable Response is "Both"
Hybrid authentication mode uses both Filter‐ID attributes and tunnel attributes. To enable hybrid
authentication mode, use the set policy maptable command and set the response parameter to
both. When configured to use both sets of attributes:
• If both the Filter‐ID and tunnel attributes are present in the RADIUS reply, then the policy
profile specified by the Filter‐ID is applied to the authenticating user, and if VLAN
authorization is enabled globally and on the authenticating user's port, the VLAN specified by
the tunnel attributes is applied to the authenticating user.
If VLAN authorization is not enabled, the VLAN specified by the policy profile is applied. See
"Configuring VLAN Authorization (RFC 3580)" on page 26‐49 for information about enabling
VLAN authorization globally and on specific ports.
• If the Filter‐ID attributes are present but the tunnel attributes are not present, the policy
profile specified by the Filter‐ID is applied, along with the VLAN specified by the policy
profile.
• If the tunnel attributes are present but the Filter‐ID attributes are not present or are invalid,
and if VLAN authorization is enabled globally and on the authenticating user's port, then the
switch will check the VLAN‐to‐policy mapping table (configured with the set policy
maptable command):
– If an entry mapping the received VLAN ID to a valid policy profile is found, then that
policy profile, along with the VLAN specified by the policy profile, will be applied to the
authenticating user.
– If no matching mapping table entry is found, the VLAN specified by the tunnel attributes
will be applied to the authenticating user.
– If the VLAN‐to‐policy mapping table is invalid, then the
etsysPolicyRFC3580MapInvalidMapping MIB is incremented and the VLAN specified by
the tunnel attributes will be applied to the authenticating user.
Configuring Policy Maptable Response
SecureStack C3 Configuration Guide 26-53