Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
any:
• Specifies any IPv4 destination address if one of the following is true:
– the ACE uses the standard attribute (
Nas-filter-Rule
). For example:
Nas-filter-Rule=”permit in tcp from any to any 23”
Nas-filter-Rule+=”permit in ip from any to 10.10.10.1/24”
Nas-filter-Rule+=”deny in ip from any to any”
– the HP-Nas-Filter-Rule VSA is used instead of the above option. For example, all
of the following destinations are for IPv4 traffic:
HP-Nas-filter-Rule=”permit in tcp from any to any 23”
HP-Nas-filter-Rule+=”permit in ip from any to 10.10.10.1/24”
HP-Nas-filter-Rule+=”deny in ip from any to any”
<
ipv4-addr
>:
Specifies a single destination IPv4 address.
<
ipv4-addr
/<
mask
>:
Specifies a series of contiguous destination addresses or all
destination addresses in a subnet. The
< mask >
is CIDR notation for the number of
leftmost bits in a packet’s destination IPv4 address that must match the corre
sponding bits in the destination IPv4 address listed in the ACE. For example, a
destination of 10.100.17.1/24 in the ACE means that a match occurs when an
inbound packet (of the designated IPv4 type) from the authenticated client has a
destination IPv4 address where the first three octets are 10.100.17. (The fourth octet
is a wildcard, and can be any value up to 255.)
[
tcp/udp-port
|
tcp/udp-port-range
]:
Optional TCP or UDP port specifier. Used when the ACE
is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP
destination port numbers. You can specify port numbers as individual values and/or
ranges. For example, the following ACE shows two ways to deny any UDP traffic from an
authenticated client that has a DA of any address and a UDP destination port of 135, 137
139, or 445:
deny in udp from any to any 135, 137-139, 445
deny in 17 from any to any 135, 137-139, 445
[
icmp-type
]
:
Optional ICMP type specifier. This can be either a keyword or an ICMP type
number. For a listing of numbers and types, refer to table 6-5, “ICMP Type Numbers and
Keywords” on page 6-28.
[ cnt ]:
Optional counter specifier for a RADIUS-assigned ACE. When used, the counter
increments each time there is a “match” with the ACE. This option does not require that
you configure the switch for RADIUS accounting.
Example Using the Standard Attribute (92) In an IPv4 ACL
The Standard attribute (92) filters IPv4 traffic inbound from the authenticated
client. (Any IPv6 traffic inbound from the client is dropped.) This example
illustrates configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS
using the standard attribute for two different client identification methods
(username/password and MAC address).
6-20
Summary of Contents for PROCURVE 2910AL
Page 1: ...Access Security Guide ProCurve Switches W 14 03 2910al www procurve com ...
Page 2: ......
Page 3: ...HP ProCurve 2910al Switch February 2009 W 14 03 Access Security Guide ...
Page 84: ...Configuring Username and Password Security Front Panel Security 2 36 ...
Page 156: ...TACACS Authentication Operating Notes 4 30 ...
Page 288: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup 8 22 ...
Page 416: ...Configuring Advanced Threat Protection Using the Instrumentation Monitor 10 28 ...
Page 572: ...Using Authorized IP Managers Operating Notes 14 14 ...
Page 592: ...12 Index ...
Page 593: ......