Nokia IP60 User Manual page 248

Using Port-Based Security
If desired, you can specify how users should be handled after successful or failed authentication. You can
assign authenticated users to specific network segments, by configuring dynamic VLAN assignment on the
RADIUS server. Upon successful authentication, the RADIUS server sends RADIUS option 81 [Tunnel-
Private-Group-ID] to the IP60 appliance, indicating to which network segment the user should be assigned.
For example, if a member of the Accounting team connects to a network port and attempts to log on, the
IP60 appliance relays the information to the RADIUS server, which replies with RADIUS option 81 and
the value ―Accounting‖. The appliance then assigns the user's port to the Accounting network, granting the
user access to all the resources of the Accounting team.
The IP60 appliance also enables you to automatically assign users to a ―Quarantine‖ network when
authentication fails. All Quarantine network security and network rules will apply to those users. For
example, you can create security rules allowing users on the Quarantine network to access the Internet and
blocking them from accessing sensitive company resources. You can also configure Traffic Shaper to grant
members of the Quarantine network a lower amount of bandwidth than authorized users.
248 Nokia IP60 Security Appliance User Guide