Usage Guidelines; Radius Attributes Used In Identifying A Qos Class - AMX NXA-ENET8-2POE Operation/Reference Manual



MAC-based authentication allows for authentication of more than one user on the same port, and does not
require the user to have special 802.1X software installed on his system. The switch uses the client's MAC
address to authenticate against the backend server. However, note that intruders can create counterfeit MAC
addresses, which makes MAC-based authentication less secure than 802.1X authentication.

Usage Guidelines

When 802.1X is enabled, you need to configure the parameters for the authentication process that runs
between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs
between the switch and authentication server. These parameters are described in this section.

RADIUS Attributes Used in Identifying a QoS Class

The User-Priority-Table attribute defined in RFC4675 forms the basis for identifying the QoS Class in an
Access-Accept packet.
Only the first occurrence of the attribute in the packet will be considered. To be valid, all 8 octets in the
attribute's value must be identical and consist of ASCII characters in the range '0' - '3', which translates into the
desired QoS Class in the range 0-3. QoS assignments to be applied to a switch port for an authenticated user
may be configured on the RADIUS server as described below:






NXA-ENET8-2POE Gigabit Ethernet Layer 2 PoE Switch
The Admin State for each switch port that requires client authentication must be set to 802.1X or
MAC-based.
When using 802.1X authentication:
Each client that needs to be authenticated must have dot1x client software installed and properly

configured.
When using 802.1X authentication, the RADIUS server and 802.1X client must support EAP.

(The switch only supports EAPOL in order to pass the EAP packets from the server to the client.)
The RADIUS server and client also have to support the same EAP authentication type - MD5,

PEAP, TLS, or TTLS. (Native support for these encryption methods is provided in Windows 7,
Windows Vista,
Windows XP, and in Windows 2000 with Service Pack 4. To support these encryption methods in

Windows 95 and 98, you can use the AEGIS dot1x client or other comparable client software.)
The Filter-ID attribute (attribute 11) can be configured on the RADIUS server to pass the following
QoS information:
Profile Attribute
• DiffServ service-policy-in=policy-map-name service-policy-in=p1
• Rate Limit rate-limit-input=rate
• 802.1p switchport-priority-default=value
Multiple profiles can be specified in the Filter-ID attribute by using a semicolon to separate each
profile.
For example, the attribute service-policy-in=pp1;rate-limitinput=100 specifies that the diffserv
profile name is pp1, and the ingress rate limit profile value is 100 kbps.
If duplicate profiles are passed in the Filter-ID attribute, then only the first profile is used.
For example, if the attribute is service-policy-in=p1;service-policyin= p2, then the switch applies
only the DiffServ profile p1.
Any unsupported profiles in the Filter-ID attribute are ignored. For example, if the attribute is
map-ip-dscp=2:3;service-policyin=p1, then the switch ignores the map-ip-dscp profile.
When authentication is successful, the dynamic QoS information may not be passed from the
RADIUS server due to one of the following conditions (authentication result remains unchanged):
The Filter-ID attribute cannot be found to carry the user profile.

The Filter-ID attribute is empty.

The Filter-ID attribute format for dynamic QoS assignment is unrecognizable (can not recognize

the whole Filter-ID attribute).
Dynamic QoS assignment fails and the authentication result changes from success to failure when
the following conditions occur:
Illegal characters found in a profile value (for example, a non-digital character in an 802.1p

profile value).
Configuring the NXA-ENET8-2POE
Syntax Example
rate-limit-input=100 (in units of Kbps)
switchport-priority-default=2
69