You can choose to place different
clients on different VLANs to limit the broadcast domain by configuring
appropriate VLAN in each user profile. RFC 3580 defines the following
Attribute Value Pairs (AVPs) to support dynamic VLAN.
Tunnel-Type=VLAN (13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID
The VLAN ID must be
pre-programmed on the ION device prior to receiving the AVP by creating
the corresponding
SVI. If the
received dynamic VLAN is pre-configured, the switch port allows
the traffic. If the received dynamic VLAN is not pre-configured,
then the ION device raises an
alarm. Until
the issue is resolved, the port remains unauthorized and client
traffic is blocked.
Re-authentication Timeout
The ION device
authenticates or reinitializes the client after a session timeout
based on the value of the Termination-Action.
The value RADIUS-Request (1) indicates that
authentication occurs on expiration of the Session-Time.
The value Default (0) indicates that the session
will terminate.
Idle Timeout
On receiving the Idle Timeout AVP
from the RADIUS server, the ION device does one of the following:
If the timeout value in the received Idle Timeout AVP is
0, then ION device adds the client as a static client, that is,
the client will never age. If re-auth timer is configured, then
the client is forced to re-authenticate when the timer expires.
If the timeout value is non-zero, then the ION device adds
the client as a dynamic entry which will age based on the switch
global aging timer. The Idle Timeout AVP value
is discarded due to the switch limitation which cannot age clients
differently.
If the Idle Timeout AVP is not present,
then the ION device adds the client as a static client and the client
will never age. If re-auth timer is configured, then the client
is forced to re-authenticate when the timer expires.
