7-27
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
from any: Required keywords specifying the (authenticated) client source. (Note that a
RADIUS-assigned ACL assigned to a port filters only the inbound traffic having a source
MAC address that matches the MAC address of the client whose authentication invoked the
ACL assignment.)
to: Required destination keyword.
any:
• Specifies any IPv4 destination address if one of the following is true:
– the ACE uses the standard attribute (Nas-filter-Rule) and the IPv6 VSA (HP-Nas-
Rules-IPv6) is not
included the ACL. For example:
Nas-filter-Rule=”permit in tcp from any to any 23”
Nas-filter-Rule+=”permit in ip from any to 10.10.10.1/24”
Nas-filter-Rule+=”deny in ip from any to any”
– the ACE uses the standard attribute (Nas-filter-Rule)and the IPv6 VSA (HP-Nas-
Rules-IPv6) is
included in the ACL with an integer setting of 2. For example, all
of the following destinations are for IPv4 traffic:
HP-Nas-Rules-IPv6=2
Nas-filter-Rule=”permit in tcp from any to any 23”
Nas-filter-Rule+=”permit in ip from any to 10.10.10.1/24”
Nas-filter-Rule+=”deny in ip from any to any”
– the HP-Nas-Filter-Rule VSA is used instead of either of the above options. For
example, all of the following destinations are for IPv4 traffic:
HP-Nas-filter-Rule=”permit in tcp from any to any 23”
HP-Nas-filter-Rule+=”permit in ip from any to 10.10.10.1/24”
HP-Nas-filter-Rule+=”deny in ip from any to any”
• Specifies any IPv4 or IPv6 destination address if the ACL uses the HP-Nas-Rules-
IPv6 VSA with an integer setting of 1. (Refer to table 7-7 on page 7-24.) For example,
the any destinations in the following ACL apply to both IPv4 and IPv6 traffic:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule=”permit in tcp from any to any 23”
Nas-filter-Rule+=”permit in ip from any to 10.10.10.1/24”
Nas-filter-Rule+=”permit in ip from any to fe80::d1:1/120”
Nas-filter-Rule+=”deny in ip from any to any”
host < ipv4-addr >: Specifies a single destination IPv4 address.
< ipv4-addr /< mask >: Specifies a series of contiguous destination addresses or all
destination addresses in a subnet. The < mask > is CIDR notation for the number of
leftmost bits in a packet’s destination IPv4 address that must match the corre-
sponding bits in the destination IPv4 address listed in the ACE. For example, a
destination of 10.100.17.1/24 in the ACE means that a match occurs when an
inbound packet (of the designated IPv4 type) from the authenticated client has a
destination IPv4 address where the first three octets are 10.100.17. (The fourth octet
is a wildcard, and can be any value up to 255.)
To Next Page
Loading...
Need help?
General
