Configuration notes
Explicitly permit IPv4 and IPv6 traffic from an authenticated client
This option for ending a RADIUS-assigned ACL permits all the client's inbound IPv4 and IPv6 traffic
not previously permitted or denied.
Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=1
See Table 10 (page 42) for information on the above attributes.
Explicitly permit only the IPv4 traffic from an authenticated client
Any of the following three options for ending a RADIUS-assigned ACL explicitly permit all the
client's inbound IPv4 traffic not previously permitted or denied. These options also deny any of the
client's IPv6 traffic not previously permitted or denied.
• Nas-filter-Rule += permit in ip from any to any
(Using this attribute to permit IPv4 traffic from the client while denying any IPv6
traffic from the client assumes that HP-Nas-Rules-IPv6=1 does not exist
elsewhere in the ACL. See Table 10 (page 42) for more on HP-Nas-Rules-IPv6.)
• HP-Nas-Filter-Rule += permit in ip from any to any
• Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=2
Explicitly deny inbound traffic from an authenticated client
All the following methods for ending a RADIUS-assigned ACL explicitly deny all the client's inbound
IPv4 and IPv6 traffic not previously permitted or denied.
• Nas-filter-Rule += deny in ip from any to any
• HP-Nas-Filter-Rule += deny in ip from any to any
• Nas-filter-Rule += deny in ip from any to any HP-Nas-Rules-IPv6=2
Implicitly deny any IP traffic
For any packet filtered by a RADIUS-assigned ACL, there is always a match, as any packet without
a match with an explicit permit or deny ACE in the list will match with the implicit deny any any
ACE automatically included at the end of the ACL. (A RADIUS-assigned ACL includes an implicit
deny in ip from any to any ACE at the end of the ACL to deny any IPv4 and IPv6 traffic
not previously permitted or denied.)
Configuring the switch to support RADIUS-assigned ACLs
An ACL configured in a RADIUS server is identified by the authentication credentials of the client
or group of clients the ACL is designed to support. When a client authenticates with credentials
associated with a particular ACL, the switch applies that ACL to the switch port the client is using.
To enable the switch to forward a client's credentials to the RADIUS server, first configure RADIUS
operation and an authentication method on the switch as follows:
1. Configure RADIUS operation on the switch:
Syntax:
radius-server host <ipv4-address> key <key-string>
This command configures the IPv4 address and encryption key of a RADIUS server.
The server must be accessible to the switch and configured to support authentication
requests from clients using the switch to access the network.
Configuring RADIUS server support for switch services 51
To Next Page
Loading...
Need help?
General
