1. Enter the HP vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file:
Figure 11 Example of configuring the VSA for RADIUS-assigned IPv4 ACLs in a FreeRADIUS
server
2. Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the
FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and
the key ("secret") is "1234", enter the following in the server's clients.conf file:
Figure 12 Example of switch identity information for a freeRADIUS application
3. For a given client username/password pair, create an ACL by entering one or more IPv4
ACEs in the FreeRADIUS "users" file. Remember that the ACL created to filter IPv4 traffic
automatically includes an implicit deny in ip from any to any ACE (for IPv4). For example,
to create ACL support for a client with a username of "User-10" and a password of "auth7X",
the ACL in this example must achieve the following:
• Permit http (TCP port 80) traffic from the client to the device at 10.10.10.117.
• Deny http (TCP port 80) traffic from the client to all other IPv4 addresses.
• Deny Telnet (TCP port 23) traffic from the client to any IPv4 address.
• Permit all other IPv4 traffic from the client to all other devices.
To configure the above ACL, enter the username/password and ACE information shown in
Figure 13 (page 50) into the FreeRADIUS "users" file.
Figure 13 Example of configuring a FreeRADIUS server to filter IPv4 traffic for a client with the
correct credentials
50 Updates for the HP Switch Software Access Security Guide
To Next Page
Loading...
