Zdenek Pala <zpala <at> enterasys.com> writes:
> > You can configure more policy profiles. > > Based on mac authentication the radius server will send accept with > the filter-id attribute containing the policy profile name. Then the > switch will apply correct policy profile (including the vlan > assignment) on the traffic ingressing the port with authenticated > source mac. Hi, Ok, so if I understood correctly (also writing this in case I will need to look it up in the future, hehe): When the NAC is used, the policy profile will not contain a rule with a specific MAC address or prefix but only a simple VLAN mapping. So, I create a policy for each VLAN that I potentially want to apply to a port. Depending on the NAC's feedback upon authentication (using the MAC address) the switch will apply the corresponding policy (in this case VLAN) to the *port*. That sounds good too. Now I see a problem with the failsafes. Say you have PCs and printers on dedicated VLANs. You have a list of MAC adresses of printers and PCs and you assign them using the NAC. When a PC is put into a printer port and the NAC is not reachable, there can be no real VLAN assignment in a failsafe policy. Well you may probably define it, but it wouldn't make any sense since you would have to know in advance whether it's a PC or printer... chicken & egg. You could probably set a failsafe policy by site, e.g. putting the ports in the site's PC VLAN in case the NAC fails. But then the printers would be offline. Hmmm... Bye, Marki --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
