8-37
Special Features
Identity Driven Management
IDM ACL
RADIUS-assigned ACLs provide Layer-3 filtering of inbound IP traffic from
authenticated stations. A unique username/password pair or station MAC
address identifies these ACLs and applies only to traffic from stations authen-
ticated with the same unique credentials. Implementing this feature requires:
■ RADIUS authentication using 802.1X or station MAC authentication.
■ Configuring RADIUS-assigned ACLs, each ACL assigned the username/
password pair or MAC address of the stations to support.
Using RADIUS ACLs benefits the access point, because it improves system
performance and provides a less complex network edge filtering method than
the VLAN ACLs network core filtering method.
Configuring an ACL in a RADIUS Server
This section provides general guidelines for configuring a RADIUS server to
specify RADIUS-based ACLs; refer to the RADIUS server documentation for
details. A RADIUS-based ACL configuration has the following:
■ Vendor and ACL identifiers:
• ProCurve (HP) Vendor-Specific ID: 11
• Vendor-Specific Attribute for ACLs: 61 (string = HP-IP-FILTER-RAW)
• Setting: HP-IP-FILTER-RAW = < “permit” or “deny” (Access Control
Entry (ACE)>
Note “Permit” forwards inbound packets, “deny” drops packets.
■ ACL configuration, including:
• One or more explicit “permit” and/or “deny” ACEs created by the
system operator
• Implicit “deny” of any ACE automatically active after the last operator
created ACE.
IDM Rate Limiting
User traffic on the inbound direction is restricted by the use of this feature of
IDM. The traffic limit is mentioned in Kbps. The inbound traffic limit is sent
in the RADIUS Accept message using Vendor Specific attribute as follows:
• ProCurve (HP) Vendor-Specific ID: 11
• VSA: 46 (integer = HP)
• Setting: HP-RATE-LIMIT = < bandwidth-in-Kbps >
To Next Page
Loading...
Need help?
General
