Configuring an ACL in a RADIUS server
This section provides guidelines for configuring a RADIUS server to specify RADIUS-assigned ACLs,
and includes a sample configuration for a FreeRADIUS server application. However, to configure
support for these services on a specific RADIUS server application, please see the documentation
provided with the application.
NOTE: This application requires a RADIUS server with an IPv4 address. Clients can be dual-stack,
IPv4-only or IPv6-only.
A RADIUS-assigned ACL configuration in a RADIUS server includes the following elements:
• Nas-Filter-Rule attributes — standard and vendor-specific
• ACL configuration, entered in the server, and associated with specific username/password
or MAC address criteria, and comprised of ACEs entered in the server
A RADIUS-assigned ACL includes:
• One or more explicit permit or deny ACEs
• An implicit deny in ip from any to any ACE automatically applied after the last
operator-created ACE
Nas-Filter-Rule-Options
Table 10 Nas-Filter-Rule Attribute Options
Control method and operating notesService
Standard Attribute: 92ACLs Applied to Client Traffic
Inbound to the Switch
The preferred attribute for use in RADIUS-assigned ACLs to configure ACEs to
filter IPv4 and IPv6 traffic.Assigns a RADIUS-configured ACL to
filter inbound packets received from
Entry for IPv4-Only ACE To Filter Client Traffic:
a specific client authenticated on a
switch port.
Nas-filter-Rule="< permit or deny ACE >"(Standard Attribute 92)
For example:
Nas-filter-Rule=permit in tcp from any to any
Entries for IPv4/IPv6 ACE to Filter Client Traffic:
HP-Nas-Rules-IPv6 <1 | 2> (VSA, where 1=IPv4 and IPv6
traffic, and 2=IPv4-only traffic.)
Nas-filter-Rule="<permit or deny ACE> "(Standard Attribute 92)
For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="permit in tcp from any to any"
Note: If HP-Nas-Rules-IPv6 is set to 2 or is not present in the ACL, IPv6
traffic from the client is dropped.
HP-Nas-Rules-IPv6: 63 (Vendor-Specific Attribute)Set IP Mode
When using Standard Attribute (92) described above in a RADIUS-assigned
ACL to support both IPv4 and IPv6 traffic inbound from an authenticated client,
Used with the Nas-filter-Rule attribute
described above to provide IPv6
traffic-filtering capability in an ACE. one instance of this VSA must be included in the ACL. Note that this attribute
supports either of the following IP modes for Nas-filter-Rule ACEs:
• both IPv6 and IPv4 traffic
• only IPv4 traffic
HP vendor-specific ID: 11
42 Updates for the HP Switch Software Access Security Guide
To Next Page
Loading...
Need help?
General
