7-16
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
ACLs enhance network security by blocking selected IP traffic, and can serve
as one aspect of network security.
However, because ACLs do not protect from
malicious manipulation of data carried in IP packet transmissions, they
should not be relied upon for a complete edge security solution
.
Depending on the ACL configuration in the RADIUS server, the ACLs
described in this section filter either IPv4 traffic only or both IPv4 and IPv6
traffic. These ACLs
do not filter non-IP traffic
such as AppleTalk and IPX.
Contrasting RADIUS-Assigned and Static ACLs
Table 7-1 highlights several key differences between the static ACLs configu-
rable on switch VLANs and ports, and the dynamic ACLs that can be assigned
by a RADIUS server to filter IP traffic from individual clients.
Table 7-1.
Contrasting Dynamic (RADIUS-Assigned) and Static ACLs
RADIUS-Assigned ACLs
Static Port and VLAN ACLs
Configured in client accounts on a RADIUS server.
Configured on switch ports and VLANs.
Designed for use on the edge of the network where filtering
of IP traffic entering the switch from individual,
authenticated clients is most important and where clients
with differing access requirements are likely to use the
same port.
Designed for use where the filtering needs focus on static
configurations covering:
• switched IP traffic entering from multiple authenticated
or unauthenticated sources (VACLs or static port ACLs)
• routed IPv4 traffic (RACLs)
• IP traffic from multiple sources and having a destination
on the switch itself
Implementation requires client authentication.
Client authentication not a factor.
Identified by the credentials (username/password pair or
the MAC address) of the specific client the ACL is intended
to service.
Identified by a number in the range of 1-199 or an
alphanumeric name.
Supports dynamic assignment to filter only the IP traffic
entering the switch from an authenticated client on the port
to which the client is connected. (IPv6 traffic can be
switched; IPv4 traffic can be routed or switched. For either
IP traffic family, includes traffic having a DA on the switch
itself.)
Supports static assignments to filter:
• switched IPv6 traffic entering the switch
• switched or routed IPv4 traffic entering the switch, or
routed IPv4 traffic leaving the switch.
When the authenticated client session ends, the switch
removes the RADIUS-assigned ACL from the client port.
Remains statically assigned to the port or VLAN.
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......