Table 10 Nas-Filter-Rule Attribute Options (continued)
Control method and operating notesService
HP vendor-specific ID: 11
VSA: 61 (string=HP-Nas-Filter-Rule)
Setting: HP-Nas-filter-Rule="< permit or deny ACE > "
Note: An ACL applying this VSA to inbound traffic from an authenticated client
drops any IPv6 traffic from the client.
ACE syntax in RADIUS servers
Nas-filter-Rule ="
<permit | permit>
in
<ip | ip-protocol-value>
from
any to
<any | host | <ip-addr> | ipv4-addr/mask | IPv6-address/prefix>
[ <tcp/udp-port | tcp/udp-port range> ] [cnt]
"
ACE syntax
(Standard
Attribute-92)
[ HP-Nas-Rules-IPv6= | <1 | 2> ]IPv6 VSA for
Standard
Attribute
For an example of applying this VSA, see “Example of configuring a FreeRADIUS server to filter
IPv4 and IPv6 traffic for a client using the correct username and password credentials” (page 49).
Nas-filter-Rule ="
<permit | permit>
in
<ip | ip-protocol-value>
from
any to
<any | host | <ip-addr> | ipv4-addr/mask | IPv6-address/prefix>
[ <tcp/udp-port | tcp/udp-port range> ]
[cnt]"
ACE syntax
(legacy VSA-61)
Nas-filter-Rule=
Standard attribute for filtering inbound IPv4 traffic from an authenticated client. When used without
the HP VSA option (below) to filter inbound IPv6 traffic from the client, drops the IPv6 traffic. See
also “Nas-Filter-Rule Attribute Options” (page 42).
[ HP-Nas-Rules-IPv6= | <1 | 2> ]
HP VSA used in an ACL to filter IPv6 traffic. Settings include:
• 1: ACE filters both IPv4 and IPv6 traffic.
• 2: ACE filters IPv4 traffic and drops IPv6 traffic.
• VSA not used: ACE filters IPv4 traffic and drops IPv6 traffic.
This VSA must be present in an ACL where the Nas-filter-Rule = attribute is intended
to filter inbound IPv6 traffic from an authenticated client.
See “Nas-Filter-Rule Attribute Options” (page 42).
HP-Nas-filter-Rule =
Legacy HP VSA for filtering inbound IPv4 traffic only from an authenticated client. Drops inbound
IPv6 traffic from the client. See “Nas-Filter-Rule Attribute Options” (page 42).
". . . "
Must be used to enclose and identify a complete permit or deny ACE syntax statement. For example:
Nas-filter-Rule ="deny in tcp from any to 0.0.0.0/0 23"
< permit | deny >
Specifies whether to forward or drop the identified IP traffic type from the authenticated client. (For
information on explicitly permitting or denying all inbound IP traffic from an authenticated client,
or for implicitly denying all such IP traffic not already permitted or denied, see “Configuration notes”
(page 51).)
in
Required keyword specifying that the ACL applies only to the traffic inbound from the authenticated
client.
<ip | ip-protocol-value>
44 Updates for the HP Switch Software Access Security Guide
To Next Page
Loading...
Need help?
General
