10-18
IPv4 Access Control Lists (ACLs)
Overview
802.1X User-Based and Port-Based Applications.
User-Based
802.1X
access control allows up to 32 individually authenticated clients on a given
port.
Port-Based
access control does not set a client limit, and requires only
one authenticated client to open a given port (and is recommended for
applications where only one client at a time can connect to the port).
■
If you configure 802.1X
user-based
security on a port and the RADIUS
response includes a
RADIUS-assigned ACL
for at least one authenti-
cated client, then the RADIUS response for
all other clients authen-
ticated on the port
must also include a RADIUS-assigned ACL.
Inbound IP traffic on the port from a client that authenticates without
receiving a RADIUS-assigned ACL will be dropped and the client will
be de-authenticated.
■
Using 802.1X
port-based
security on a port where the RADIUS
response to a client authenticating includes a RADIUS-assigned ACL,
different results can occur, depending on whether any additional
clients attempt to use the port and whether these other clients initiate
an authentication attempt. This option is recommended for applica-
tions where only one client at a time can connect to the port, and
not
recommended
for instances where multiple clients may access the
same port at the same time. For more information, refer to “802.1X
Port-Based Access Control” in the chapter titled “Configuring Port-
Based and User-Based Access Control (802.1X)” in the latest
Access
Security Guide
for your switch.
Operating Notes.
■
For RADIUS ACL applications, the switch operates in a dual-stack
mode, and a RADIUS-assigned ACL can filter both IPv4 and IPv6
traffic. At a minimum, a RADIUS-assigned ACL automatically
includes the implicit deny for both IPv4 and IPv6 traffic. Thus, an ACL
configured on a RADIUS server to filter IPv4 traffic will also deny
inbound IPv6 traffic from an authenticated client unless the ACL
includes ACEs that permit the desired IPv6 traffic. The reverse is true
for a dynamic ACL configured on RADIUS server to filter IPv6 traffic.
(ACLs are based on the MAC address of the authenticating client.)
Refer to chapter 7, “Configuring RADIUS Server Support for Switch
Services”.
■
To support authentication of IPv6 clients:
•
The VLAN to which the port belongs must be configured with an IPv6
address.
•
Connection to an IPv6-capable RADIUS server must be supported.
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......