7-15
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
Implementing the feature requires:
■
RADIUS authentication using the 802.1X, Web authentication, or MAC
authentication available on the switch to provide client authentica-
tion services
■
configuring one or more ACLs on a RADIUS server (instead of the
switch), and assigning each ACL to the username/password pair or
MAC address of the client(s) you want the ACLs to support
Using RADIUS to dynamically apply ACLs to clients on edge ports enables the
switch to filter IP traffic coming from outside the network, thus removing
unwanted IP traffic as soon as possible and helping to improve system
performance. Also, applying RADIUS-assigned ACLs to the network edge is
likely to be less complex than configuring static port and VLAN-based ACLs
in the network core to filter unwanted IP traffic that could have been filtered
at the edge.
N o t e
A RADIUS-assigned ACL filters inbound IP traffic on a given port from the
client whose authentication triggered the ACL assignment to the port.
A RADIUS-assigned ACL can be applied regardless of whether IP traffic on
the port is already being filtered by other, static ACLs that are already assigned.
Table 7-6 lists the supported per-port ACL assignment capacity.
Table 7-6.
Simultaneous ACL Activity Supported Per-Port
1
ACL Type
Function
IPv4
IPv6
VACL
Static ACL assignment to filter inbound IP
traffic on a specific VLAN.
1
1
Port ACL
Static ACL assignment to filter inbound IP
traffic on a specific port.
1
1
RADIUS-assigned ACL Dynamic ACL assignment to filter inbound IP
traffic from a specific client on a given port.
1-32
2
1-32
2
RACL (IPv4 only)
static ACL assignment to filter routed IPv4
traffic entering or leaving the switch on a
specific VLAN
1 in
1 out
n/a
Connection-Rate ACL
Static ACL assignment for virus-throttling on
a specific port. (Refer to chapter 3, “Virus
Throttling (Connection-Rate Filtering)” in this
manual.)
1
n/a
1
Subject to resource availability on the switch. For more information, refer to the appendix titled
“Monitoring Resources” in the latest
Management and Configuration Guide
for your switch.
2
One per authenticated client, up to a maximum of 32 clients per-port for 802.1X, Web-Authentication,
and MAC-Authentication methods combined.
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......