7-18
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
How a RADIUS Server Applies a RADIUS-Assigned ACL
to a Client on a Switch Port
A RADIUS-assigned ACL configured on a RADIUS server is identified and
invoked by the unique credentials (username/password pair or a client MAC
address) of the specific client the ACL is intended to service. Where the
username/password pair is the selection criteria, the corresponding ACL can
also be used for a group of clients that all require the same ACL policy and use
the same username/password pair. Where the client MAC address is the
selection criteria, only the client having that MAC address can use the corre-
sponding ACL. When a RADIUS server authenticates a client, it also assigns
the ACL configured with that client’s credentials to the client’s port. The ACL
then filters the client’s inbound IP traffic and denies (drops) any such traffic
that is not explicitly permitted by the ACL.
■
If the filter rule used for a RADIUS-based ACL is one of the options
that specifies only IPv4 traffic, then the ACL will implicitly
deny
any
inbound IPv6 traffic from the authenticated client.
■
If the filter rule used for a RADIUS-based ACL is the option for
specifying both IPv4 and IPv6 traffic, then the ACL filter both IP traffic
types according to the ACEs included in the RADIUS-assigned ACL.
When the client session ends, the switch removes the RADIUS-assigned ACL
from the client port.
N o t e
Implicit Deny.
Every RADIUS-assigned ACL ends with an
implicit
deny in
ACE for both IPv4 and IPv6 traffic. This implicit ACE denies any IP traffic that
is not specifically permitted. To override this default, configure an
explicit
permit in ip from any to any
as the ACL’s last explicit ACE.
Multiple Clients in a RADIUS-Assigned ACL Environment.
Where
multiple clients are authenticated on the same port, if any of the clients has a
RADIUS-assigned ACL, then all of the authenticated clients on the port must
have a RADIUS-assigned ACL. In this case, the switch drops the IP traffic from
any authenticated client that does not have a RADIUS-assigned ACL, and
deauthenticates that client.
Multiple Clients Sharing the Same RADIUS-Assigned ACL.
When
multiple clients supported by the same RADIUS server use the same creden-
tials, they will all be serviced by different instances of the same ACL. (The
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......