7-14
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
VLAN ACL (VACL):
An ACL applied to traffic entering the switch on a given
VLAN interface. See also “Access Control List”.
VSA (Vendor-Specific-Attribute):
A value used in a RADIUS-based config-
uration to uniquely identify a networking feature that can be applied to a
port on a given vendor’s switch during an authenticated client session.
Wildcard:
The part of a mask that indicates the bits in a packet’s IP addressing
that do not need to match the corresponding bits specified in an ACL. See
also
ACL Mask
on page 7-12.
Overview of RADIUS-Assigned, Dynamic ACLs
RADIUS-assigned ACLs enhance network and switch management access
security and traffic control by permitting or denying authenticated client
access to specific network resources and to the switch management interface.
This includes preventing clients from using TCP or UDP applications, ICMP
packet types, and IGMP (IPv4 only) if you do not want their access privileges
to include these capabilities.
Traffic Applications
The switch supports RADIUS-assigned ACLs for the following traffic applica-
tions:
■
inbound IPv4 traffic only
■
inbound IPv4 and IPv6 traffic
This feature is designed for use on the network edge to accept RADIUS-
assigned ACLs for Layer-3 filtering of IP traffic entering the switch from
authenticated clients. A given RADIUS-assigned ACL is identified by a unique
username/password pair or client MAC address, and applies only to IP traffic
entering the switch from clients that authenticate with the required, unique
credentials. The switch allows multiple RADIUS-assigned ACLs on a given
port, up to the maximum number of authenticated clients allowed on the port.
Also, a RADIUS-assigned ACL for a given client’s traffic can be assigned
regardless of whether other ACLs assigned to the same port are statically
configured on the switch.
A RADIUS-assigned ACL filters IP traffic entering the switch from the client
whose authentication caused the ACL assignment. Filter criteria is based on:
■
destination address
■
IPv4 or IPv6 traffic type (such as TCP and UDP traffic)
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......