Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
3. Configure the ACLs on a RADIUS server accessible to the intended clients.
4. Configure the switch to use the desired RADIUS server and to support the
desired client authentication scheme. Options include 802.1X, Web
authentication, or MAC authentication. (Note that the switch supports the
option of simultaneously using 802.1X with either Web or MAC authenti-
cation.)
5. Test client access on the network to ensure that your RADIUS-assigned
ACL application is properly enforcing your policies.
For further information common to all ACL applications, refer to the following
sections in chapter 9, “IPv4 Access Control Lists (ACLs)”:
■ “Features Common to All ACL Applications” on page 9-16
■ “General Steps for Planning and Configuring ACLs” on page 9-18
■ “General Steps for Planning and Configuring ACLs” on page 9-18
The Packet-filtering Process
Packet-Filtering in an applied ACL is sequential, from the first ACE in the ACL
to the implicit “deny any” following the last explicit ACE. This operation is the
same regardless of whether the ACL is applied dynamically from a RADIUS
server or statically in the switch configuration. For details of this process,
refer to “IPv4 Static ACL Operation” in chapter 9, “IPv4 Access Control Lists
(ACLs)”.
Note If a RADIUS-assigned ACL permits an authenticated client’s inbound IP
packet, but the client port is also configured with a static port ACL, then the
packet will also be filtered by these other ACLs. If there is a match with a deny
ACE in any of these ACLs, the switch drops the packet.
Caution ACLs can enhance network security by blocking selected IP traffic, and can
serve as one aspect of maintaining network security. However, because ACLs
do not provide user or device authentication, or protection from malicious
manipulation of data carried in IP packet transmissions, they should not
be relied upon for a complete security solution.
6-16
To Next Page
Loading...
Need help?
General