7-22
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
■ Effect of Other, Statically Configured ACLs: Suppose that port
B1 belongs to VLAN “Y” and has a RADIUS-assigned ACL to filter
inbound traffic from an authenticated client. Port B1 is also config-
ured with IPv4 and IPv6 static port ACLs, and VLAN “Y” is statically
configured with IPv4 and IPv6 VACLs.
• IP traffic entering the switch on port B1 from the client and having a
match with a deny ACE configured in any of the ACLs mentioned
above will be dropped.
• If an inbound RACL was also configured on VLAN “Y”, then a deny
match in the RACL would apply to any inbound, routed IPv4 traffic
from the client (and to any inbound, switched traffic having a desti-
nation on the switch itself).
• If an outbound RACL was also configured on VLAN “Y”, then any
outbound, routed IPv4 traffic leaving the switch through the port B1
would be filtered by the outbound RACL.
■ Effect of RADIUS-Assigned ACLs on Inbound Traffic for
Multiple Clients on the Same Port: On a port configured for 802.1X
user-based access where multiple clients are connected, if a given
client’s authentication results in a RADIUS-assigned ACL, then the
authentication of any other client concurrently using the port must
also include a RADIUS-assigned ACL. Thus, if a RADIUS server is
configured to assign a RADIUS-assigned ACL when client “X” authen-
ticates, but is not configured to do the same for client “Y” on the same
port, then traffic from client “Y” will be blocked whenever client “X”
is authenticated on the port (and client “Y” will be deauthenticated).
For this reason, if multiple clients are authenticated on a port, a
separate RADIUS-assigned ACL (or a separate assignment instance
of the same ACL) must be applied for each authenticated client.
Inbound IP traffic from any client whose authentication does not
result in a RADIUS-assigned ACL will be blocked and the client will
be deauthenticated. Also, if 802.1X port-based access is configured
on the port, only one client can be authenticated on the port at any
given time. In this case, no other inbound client traffic is allowed. For
more on this topic, refer to “Static Port ACL and RADIUS-Assigned
ACL Applications” on page 10-16, and “Multiple ACLs on an Interface”
on page 10-19.
To Next Page
Loading...
Need help?
General
