7-25
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
ACE Syntax in RADIUS Servers
This section describes ACE syntax configuration options in a RADIUS server.
ACE Syntax
(Standard
Attribute-92)
Nas-filter-Rule =”< permit | deny > in <ip |
ip-protocol-value
> from any to
< any | host <
ip-addr
> |
ipv4-addr
/
mask
|
IPv6-address/prefix
>
[ <
tcp/udp-port
|
tcp/udp-port range >
|
icmp-type
] [cnt ]”
IPv6 VSA for
Standard
Attribute
[ HP-Nas-Rules-IPv6=< 1 | 2 >]
(For an example of how to apply this VSA, refer to figure 7-8 on page 7-31.)
ACE Syntax
(Legacy VSA-
61)
HP-Nas-filter-Rule=”< permit | deny > in <ip |
ip-protocol-value
> from any to
< any | host <
ip-addr
> |
ipv4-addr
/
mask
> [ <
tcp/udp-port
|
tcp/udp-port range >
|
icmp-type
] [cnt ]”
Nas-filter-Rule =
: Standard attribute for filtering inbound IPv4 traffic from an authenticated
client. When used without the HP VSA option (below) for filtering inbound IPv6 traffic
from the client, drops the IPv6 traffic. Refer also to table 7-7, “Nas-Filter-Rule Attribute
Options” on page 7-23.
[ HP-Nas-Rules-IPv6=< 1 | 2 >]
:
HP VSA used in an ACL intended to filter IPv6 traffic. Settings
include:
–
1
: ACE filters both IPv4 and IPv6 traffic.
–
2
: ACE filters IPv4 traffic and drops IPv6 traffic.
– VSA not used: ACE filters IPv4 traffic and drops IPv6 traffic.
This VSA must be present in an ACL where the Nas-filter-Rule= attribute is intended to
filter inbound IPv6 traffic from an authenticated client. Refer also to table 7-7, “Nas-Filter-
Rule Attribute Options” on page 7-23.
HP-Nas-filter-Rule =
:
Legacy HP VSA for filtering inbound IPv4 traffic only from an
authenticated client. Drops inbound IPv6 traffic from the client. Refer also to table 7-7,
“Nas-Filter-Rule Attribute Options” on page 7-23.
“
. . .
“
:
Must be used to enclose
and identifies a complete permit or deny ACE syntax
statement. For example:
Nas-filter-Rule=”deny in tcp from any to 0.0.0.0/0 23”
< permit | deny >:
Specifies whether to forward or drop the identified IP traffic type from the
authenticated client. (For information on explicitly permitting or denying all inbound IP
traffic from an authenticated client, or for implicitly denying all such IP traffic not already
permitted or denied, refer to “Configuration Notes” on page 7-34.)
in:
Required keyword specifying that the ACL applies only to the traffic inbound from the
authenticated client.
< ip |
ip-protocol-value
>:
Options for specifying the type of traffic to filter.
ip:
Applies the ACE to all IP traffic from the authenticated client.
ip-protocol-value:
This option applies the ACE to the type of IP traffic specified by either
a protocol number or by
tcp
,
udp
,
icmp
, or (for IPv4-only)
igmp
.
The range of protocol
numbers is 0-255. (Protocol numbers are defined in RFC 2780. For a complete listing,
refer to “Protocol Registries” on the Web site of the Internet Assigned Numbers
Authority at www.iana.com.) Some examples of protocol numbers include:
1 = ICMP
17 = UDP
2 = IGMP (IPv4 only)
41 = IPv6
6 = TCP
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......