7-20
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
The Packet-filtering Process
Packet-Filtering in an applied ACL is sequential, from the first ACE in the ACL
to the implicit “deny any any” following the last explicit ACE. This operation
is the same regardless of whether the ACL is applied dynamically from a
RADIUS server or statically in the switch configuration.
N o t e
If a RADIUS-assigned ACL permits an authenticated client’s inbound IP
packet, but the client port is also configured with a static port ACL and/or
belongs to a VLAN for which there is an inbound, VLAN-based ACL configured
on the switch, then the packet will also be filtered by these other ACLs. If there
is a match with a deny ACE in any of these ACLs, the switch drops the packet.
C a u t i o n
ACLs can enhance network security by blocking selected IP traffic, and can
serve as one aspect of maintaining network security.
However, because ACLs
do not provide user or device authentication, or protection from malicious
manipulation of data carried in IP packet transmissions, they should not
be relied upon for a complete security solution.
Operating Rules for RADIUS-Assigned ACLs
■
Relating a Client to a RADIUS-Assigned ACL:
A RADIUS-
assigned ACL for a particular client must be configured in the RADIUS
server under the authentication credentials the server should expect
for that client. If the client must authenticate using 802.1X and/or Web
Authentication, the username/password pair forms the credential set.
If authentication is through MAC Authentication, then the client MAC
address forms the credential set. For more on this topic, refer to
“Configuring an ACL in a RADIUS Server” on page 7-22.
■
Multiple Clients Using the Same Username/Password Pair:
Multiple clients using the same username\password pair will use
duplicate instances of the same ACL.
■
Limits for ACEs in RADIUS-Assigned ACLs:
The switch supports
up to 80 characters in a single ACE.
Exceeding this limit causes the
related client authentication to fail
.
Содержание E3800 Series
Страница 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...
Страница 2: ......
Страница 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Страница 30: ...xxviii ...
Страница 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Страница 186: ...4 72 Web and MAC Authentication Client Status ...
Страница 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...
Страница 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Страница 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Страница 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...
Страница 730: ...20 Index ...
Страница 731: ......