7-23
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
Nas-Filter-Rule-Options
Table 7-7.
Nas-Filter-Rule Attribute Options
Service
Control Method and Operating Notes:
ACLs Applied to Client
Traffic Inbound to the
Switch
Assigns a RADIUS-
configured ACL to
filter inbound packets
received from a
specific client
authenticated on a
switch port.
Standard Attribute: 92
This is the preferred attribute for use in RADIUS-assigned ACLs to configure ACEs to filter IPv4
and IPv6 traffic.
Entry for IPv4-Only ACE To Filter Client Traffic:
Nas-filter-Rule = “<
permit or deny ACE
>”
(Standard Attribute 92)
For example:
Nas-filter-Rule=permit in tcp from any to any
Entries for IPv4/IPv6 ACE To Filter Client Traffic:
HP-Nas-Rules-IPv6 < 1 | 2 >
(VSA, where 1 = IPv4 and IPv6 traffic, and
2 = IPv4-only traffic.)
Nas-filter-Rule = “<
permit or deny ACE
>”
(Standard Attribute 92)
For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule=”permit in tcp from any to any”
Note:
If
HP-Nas-Rules-IPv6
is set to
2
or is not present in the ACL,IPv6 traffic from the client
will be dropped. For details on the IPv6 option, refer to “Set IP Mode”, below.
Set IP Mode
Used with the Nas-
filter-Rule attribute
described above to
provide IPv6 traffic-
filtering capability in
an ACE.
HP-Nas-Rules-IPv6: 63 (Vendor-Specific Attribute)
When using the standard attribute (92) described above in a RADIUS-assigned ACL to support
both IPv4 and IPv6 traffic inbound from an authenticated client, one instance of this VSA must be
included in the ACL. Note that this attribute supports either of the following IP modes for Nas-
filter-Rule ACEs:
• both IPv6 and IPv4 traffic
• only IPv4 traffic
HP vendor-specific ID: 11
VSA: 63 (string = HP-Nas-Rules-IPv6)
• IPv6 and IPv4 ACLs: integer = 1
(Using this option causes the ACL to filter both IPv4 and
IPv6 traffic.)
• IPv4-only ACLs: integer = 2
(Using this option causes the ACL to drop any IPv6
traffic received from the authenticated client.)
Setting:
HP-Nas-Rules-IPv6 = < 1 | 2 >
Nas-filter-Rule “<
permit or deny ACE
>”
Note:
When the configured integer option is “1”, the
any
keyword used as a destination applies
to both IPv4 and IPv6 destinations for the selected traffic type (such as Telnet). Thus, if you want
the IPv4 and IPv6 versions of the selected traffic type to both go to their respective “any”
destinations, then a single ACE is needed for the selected traffic type. For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule=”permit in tcp from any to any 23”
— Continued —
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......