About the support for attributes of switch models

Article:HOWTO81754  |  Created: 2012-10-25  |  Updated: 2014-09-21  |  Article URL http://www.symantec.com/docs/HOWTO81754
Article Type
How To

Subject


About the support for attributes of switch models

When you configure the LAN Enforcer appliance, you specify the model of the 802.1x-aware switch. Different 802.1x-aware switches look for different attributes to determine which client can access the VLAN. Some switches identify VLANs by VLAN ID and others by VLAN Name. Some devices have limited or no VLAN support.

The LAN Enforcer appliance forwards attributes from the RADIUS server to the switch. If necessary, however, it modifies or appends the VLAN attribute based on the switch type by using supported values. If a conflict exists between the vendor-specific attribute information that the RADIUS server sends and the vendor-specific VLAN attribute information that the LAN Enforcer uses, the LAN Enforcer removes the vendor-specific information that the RADIUS server sends.

The LAN Enforcer then replaces that information with the information that appears in Table: Support for attributes of switch models.

If you want to keep the attributes from the RADIUS server, you can select an action called Open Port. With this action, the LAN Enforcer forwards all attributes from the RADIUS server to the 802.1x-aware switch without any modifications.

The 802.1x-aware switch model can use VLAN ID or VLAN Name to perform dynamic VLAN assignments. Specify both the VLAN ID and VLAN name when you provide VLAN information for the LAN Enforcer, with the exception of the Aruba switch.

See Changing LAN Enforcer configuration settings in Symantec Endpoint Protection Manager.

Table: Support for attributes of switch models describes the 802.1x-aware switch models and attributes.

Table: Support for attributes of switch models

Switch model

Attributes added by LAN Enforcer

Comments

Airespace Wireless Controller

The vendor code is 14179.

The vendor-assigned attribute number is 5.

The attribute format is "string."

VLAN Name is used. Name is case sensitive.

Alcatel

Vendor Specific (#26)

The vendor ID of Alcatel is 800. All "Vendor Specific" attributes from RADIUS with an ID of 800 are removed in case of conflict.

VLAN ID is used.

Aruba

Vendor Specific (#14823)

Vendor ID is 14823 for Aruba. The Aruba-User-Role attribute permits you to set up either VLAN IDs or VLAN names.

Both VLAN name and VLAN ID can be used. Alternately, you can use only a VLAN name or only a VLAN ID.

A valid VLAN ID ranges from 1 to 4094.

A VLAN name cannot exceed 64 bytes.

Cisco Aironet Series

Depends on whether you use SSID access control.

RADIUS user attributes used for VLAN-ID assignment:

IETF 64 (Tunnel Type): Set this attribute to "VLAN"

IETF 65 (Tunnel Medium Type): Set this attribute to "802"

IETF 81 (Tunnel Private Group ID): Set this attribute to VLAN-ID

RADIUS user attribute used for SSID access control:

Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair

VLAN ID is used.

Cisco Catalyst Series

Tunnel Type (#64)

Tunnel Medium Type (#65)

Tunnel Private Group ID (#81)

Tunnel Type is set to 13 (VLAN)

Tunnel Medium Type is set to 6 (802 media)

Tunnel Private Group ID is set to VLAN name.

All attributes with these three types from RADIUS server are removed in case of conflict. Also, any attribute with type "Vendor Specific" and the vendor ID is 9 (Cisco) are also removed.

VLAN Name is used. Name is case sensitive.

Foundry, HP, Nortel, 3com, Huawei

Tunnel Type (#64)

Tunnel Medium Type (#65)

Tunnel Private Group ID (#81)

Tunnel Type is set to 13 (VLAN)

Tunnel Medium Type is set to 6 (802 media)

Tunnel Private Group ID is set to VLAN ID.

All attributes with these three types from RADIUS server are removed in case of conflict.

VLAN ID is used.

Enterasys

Filter ID (#11)

Filter ID is set to

Enterasys :
version=1:
mgmt=su:
policy=NAME

All "Filter ID" attributes from RADIUS Server are removed in case of conflict.

VLAN Name is used and represents "Role name" in the Enterasys switch. The name is case sensitive.

Extreme

Vendor Specific (#26)

Vendor ID is 1916 for Extreme. VLAN Name is added after the Vendor ID. All vendor-specific attributes from RADIUS server with an ID of 1916 are removed in case of conflict.

VLAN Name is used. The name is case sensitive.


Legacy ID



v7549248_v81664632


Article URL http://www.symantec.com/docs/HOWTO81754


Terms of use for this information are found in Legal Notices