242
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring and Managing Security ACLs
Mapping Security ACLs
User-based security ACLs are mapped to an IEEE 802.1X authenticated session during
the AAA process. You can specify that one of the authorization attributes returned during
authentication is a named security ACL. The switch maps the named ACL automatically to
the user’s authenticated session.
Security ACLs can also be mapped statically to ports, VLANs, virtual ports, or Distributed
APs. User-based ACLs are processed before these ACLs, because they are more specific
and closer to the network edge.
Mapping User-Based Security ACLs
When you configure administrator or user authentication, you can set a Filter-Id authorization
attribute at the RADIUS server or at the switch’s local database. The Filter-Id
attribute is a
security ACL name with the direction of the packets appended—for example,
acl-name
.in
or
acl-name
.out
. The security ACL mapped by Filter-Id instructs the switch to use its local
definition of the ACL, including the flow direction, to filter packets for the authenticated user.
Note:
The Filter-Id attribute is more often received by the DWS-1008 switch through an
external AAA RADIUS server than applied through the local database.
To map a security ACL to a user session, follow these steps:
1.
Create the security ACL. For example, to filter packets coming from 192.168.253.1
and going to 192.168.253.12,
type the following command:
DWS-1008#
set security acl ip acl-222 permit ip 192.168.253.1 0.0.0.0
198.168.253.12 0.0.0.0 hits
2.
Commit the security ACL to the running configuration. For example, to commit
acl-
222
, type the following command:
DWS-1008#
commit security acl acl-222
success: change accepted.
3.
Apply the Filter-Id authentication attribute to a user’s session via an external
RADIUS server. For instructions, see the documentation for your RADIUS server.
Note:
If the Filter-Id value returned through the authentication and authorization
process does not match the name of a committed security ACL in the DWS-1008
switch, the user fails authorization and cannot be authenticated.
4.
Alternatively, authenticate the user with the Filter-Id attribute in the switch’s local
database. Use one of the following commands. Specify
.in
for incoming packets or
out
for outgoing packets.