7-32
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
Example Using HP VSA 61 To Assign IPv4 ACLs
The software supports the HP VSA 61 vendor-specific method for enabling
RADIUS-based IPv4 ACL assignments on the switch. The recommended use
of this option is to support ACL configurations that rely on VSA 61. However,
HP recommends using the standard attribute (92) for new, RADIUS-based IPv4
ACLs (pages 7-23 and 7-27).
This example uses the HP VSA attribute 61 for configuring RADIUS-assigned
IPv4 ACL support on FreeRADIUS for two different client identification
methods (username/password and MAC address).
1.
Enter the HP vendor-specific ID and the ACL VSA in the
FreeRADIUS dictionary file:
Figure 7-9. Example of Configuring the VSA for RADIUS-Assigned IPv4 ACLs in a FreeRADIUS Server
2.
Enter the switch IPv4 address, NAS (Network Attached Server) type, and
the key used in the FreeRADIUS
clients.conf
file. For example, if the switch
IP address is 10.10.10.125 and the key (“secret”) is “1234”, you would enter
the following in the server’s
clients.conf
file:
Figure 7-10. Example of Switch Identity Information for a FreeRADIUS Application
3.
For a given client username/password pair, create an ACL by entering one
or more IPv4 ACEs in the FreeRADIUS “users” file. Remember that the
ACL you create to filter IPv4 traffic automatically includes an implicit
deny
in ip from any to any
ACE (for IPv4). For example, suppose that you wanted
to create ACL support for a client having a username of “User-10” and a
password of “auth7X”. The ACL in this example must achieve the follow-
ing:
VENDOR HP 11
BEGIN-VENDOR HP
ATTRIBUTE HP-Nas-filter-Rule 61 STRING
END-VENDOR HP
HP Vendor-Specific ID
HP Vendor-Specific Attribute for
RADIUS-Assigned ACLs
Note that if you were also using the RADIUS server to
administer 802.1p (CoS) priority and/or Rate-Limiting, you
would also insert the ATTRIBUTE entries for these
functions above the END-VENDOR entry.
client 10.10.18.12
nastype = other
secret = 1234
Note:
The
key
configured in the switch and the
secret
configured in the RADIUS server
supporting the switch must be identical. Refer
to the chapter titled “RADIUS Authentication
and Accounting” in the latest
Access Security
Guide
for your switch.
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......