Hi community,
When authenticating users on AOS-switches there are two approaches:
- Default: the RADIUS server such as ClearPass has settings such as VLAN assignments and ACLs configured on it as RADIUS standard attributes or vendor-specific VSAs. When a user successfully authenticates, ClearPass sends these attributes in the Access-Accept message to the switch, and the switch then applies them.
- Role-based authorization: the RADIUS server can simply send the switch the name of the user’s role in the Access-Accept message. The role name matches a role configured on the switch, and this role defines settings such as VLAN assignment, ACL, rate limit, and QoS priority, which the switch then applies to the user session.
If I am not going to use per-user tunneled-node, which imposes the switch to use role-based authorization, which approach shall I use? Which one is better? What are the upsides and downsides of each one?
Regards,
Julián