Filter
Top Products
Overview of Security Methods
RADIUS Filter-ID Attribute and Dynamic Policy Profile Assignment
Matrix NSA Series Configuration Guide 14-3
14.1.1 RADIUS Filter-ID Attribute and Dynamic Policy Profile
Assignment
If you configure an authentication method that requires communication with a RADIUS server, you
can use the RADIUS Filter-ID attribute to dynamically assign a policy profile and/or management
level to authenticating users and/or devices.
The RADIUS Filter-ID attribute is simply a string that is formatted in the RADIUS Access-Accept
packet sent back from the RADIUS server to the switch during the authentication process.
Each user can be configured in the RADIUS server database with a RADIUS Filter-ID attribute that
specifies the name of the policy profile and/or management level the user should be assigned upon
successful authentication. During the authentication process, when the RADIUS server returns a
RADIUS Access-Accept message that includes a Filter-ID matching a policy profile name
configured on the switch, the switch then dynamically applies the policy profile to the physical port
the user/device is authenticating on.
Filter-ID Attribute Formats
Enterasys Networks supports two Filter-ID formats — “decorated” and “undecorated.” The
decorated format has three forms:
• To specify the policy profile to assign to the authenticating user (network access authentication):
Enterasys:version=1:policy=string
where string specifies the policy profile name. Policy profile names are case-sensitive.
• To specify a management level (management access authentication):
Enterasys:version=1:mgmt=level
where level indicates the management level, either ro, rw, or su.
• To specify both management level and policy profile:
Enterasys:version=1:mgmt=level:policy=string
The undecorated format is simply a string that specifies a policy profile name. The undecorated
format cannot be used for management access authentication.
Decorated Filter-IDs are processed first. If no decorated Filter-IDs are found, then undecorated
Filter-IDs are processed. If multiple Filter-IDs are found that contain conflicting values, a Syslog
message is generated.