User's Manual
C
HAPTER
 4
 | Configuring the Switch
Configuring Security
– 81 –
In MAC-based Authentication mode, the switch will ignore new frames 
coming from the client during the hold time.
◆ RADIUS-Assigned QoS Enabled - RADIUS-assigned QoS provides a 
means to centrally control the traffic class to which traffic coming from 
a successfully authenticated supplicant is assigned on the switch. The 
RADIUS server must be configured to transmit special RADIUS 
attributes to take advantage of this feature.
The RADIUS-Assigned QoS Enabled checkbox provides a quick way to 
globally enable/disable RADIUS-server assigned QoS Class 
functionality. When checked, the individual port settings determine 
whether RADIUS-assigned QoS Class is enabled for that port. When 
unchecked, RADIUS-server assigned QoS Class is disabled for all ports.
When RADIUS-Assigned QoS is both globally enabled and enabled for a 
given port, the switch reacts to QoS Class information carried in the 
RADIUS Access-Accept packet transmitted by the RADIUS server when 
a supplicant is successfully authenticated. If present and valid, traffic 
received on the supplicant’s port will be classified to the given QoS 
Class. If (re-)authentication fails or the RADIUS Access-Accept packet 
no longer carries a QoS Class or it's invalid, or the supplicant is 
otherwise no longer present on the port, the port's QoS Class is 
immediately reverted to the original QoS Class (which may be changed 
by the administrator in the meanwhile without affecting the RADIUS-
assigned setting).
This option is only available for single-client modes, i.e. port-based 
802.1X and Single 802.1X.
RADIUS Attributes Used in Identifying a QoS Class
The User-Priority-Table attribute defined in RFC4675 forms the basis for 
identifying the QoS Class in an Access-Accept packet.
Only the first occurrence of the attribute in the packet will be 
considered. To be valid, all 8 octets in the attribute's value must be 
identical and consist of ASCII characters in the range '0' - '3', which 
translates into the desired QoS Class in the range 0-3. 
QoS assignments to be applied to a switch port for an authenticated 
user may be configured on the RADIUS server as described below:
■
The “Filter-ID” attribute (attribute 11) can be configured on the 
RADIUS server to pass the following QoS information:
■
Multiple profiles can be specified in the Filter-ID attribute by using a 
semicolon to separate each profile. 
Table 7: Dynamic QoS Profiles 
Profile Attribute Syntax Example
DiffServ service-policy-in=policy-map-name service-policy-in=p1
Rate Limit rate-limit-input=rate rate-limit-input=100 
(in units of Kbps)
802.1p switchport-priority-default=value switchport-priority-default=2










