User manual

ManualsBrandsLevelOne ManualsNetworkingGEP-5070

HAPTER

| Configuring the Switch

Configuring Security

– 89 –

whether RADIUS-assigned QoS Class is enabled for that port. When

unchecked, RADIUS-server assigned QoS Class is disabled for all ports.

When RADIUS-Assigned QoS is both globally enabled and enabled for a

given port, the switch reacts to QoS Class information carried in the

RADIUS Access-Accept packet transmitted by the RADIUS server when

a supplicant is successfully authenticated. If present and valid, traffic

received on the supplicant’s port will be classified to the given QoS

Class. If (re-)authentication fails or the RADIUS Access-Accept packet

no longer carries a QoS Class or it's invalid, or the supplicant is

otherwise no longer present on the port, the port's QoS Class is

immediately reverted to the original QoS Class (which may be changed

by the administrator in the meanwhile without affecting the RADIUS-

assigned setting).

This option is only available for single-client modes, i.e. port-based

802.1X and Single 802.1X.

RADIUS Attributes Used in Identifying a QoS Class

The User-Priority-Table attribute defined in RFC4675 forms the basis for

identifying the QoS Class in an Access-Accept packet.

Only the first occurrence of the attribute in the packet will be

considered. To be valid, all 8 octets in the attribute's value must be

identical and consist of ASCII characters in the range '0' - '3', which

translates into the desired QoS Class in the range 0-3.

QoS assignments to be applied to a switch port for an authenticated

user may be configured on the RADIUS server as described below:

■

The “Filter-ID” attribute (attribute 11) can be configured on the

RADIUS server to pass the following QoS information:

■

Multiple profiles can be specified in the Filter-ID attribute by using a

semicolon to separate each profile.

For example, the attribute “service-policy-in=pp1;rate-limit-

input=100” specifies that the diffserv profile name is “pp1,” and the

ingress rate limit profile value is 100 kbps.

■

If duplicate profiles are passed in the Filter-ID attribute, then only

the first profile is used.

For example, if the attribute is “service-policy-in=p1;service-policy-

in=p2”, then the switch applies only the DiffServ profile “p1.”

■

Any unsupported profiles in the Filter-ID attribute are ignored.

Table 7: Dynamic QoS Profiles

Profile Attribute Syntax Example

DiffServ service-policy-in=policy-map-name service-policy-in=p1

Rate Limit rate-limit-input=rate rate-limit-input=100

(in units of Kbps)

802.1p switchport-priority-default=value switchport-priority-default=2