EasyManua.ls Logo

HP E3800-24G-PoE+-2SFP+

HP E3800-24G-PoE+-2SFP+
732 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
7-25
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
ACE Syntax in RADIUS Servers
This section describes ACE syntax configuration options in a RADIUS server.
ACE Syntax
(Standard
Attribute-92)
Nas-filter-Rule =”< permit | deny > in <ip | ip-protocol-value > from any to
< any | host < ip-addr > | ipv4-addr/mask | IPv6-address/prefix >
[ < tcp/udp-port | tcp/udp-port range > | icmp-type ] [cnt ]”
IPv6 VSA for
Standard
Attribute
[ HP-Nas-Rules-IPv6=< 1 | 2 >]
(For an example of how to apply this VSA, refer to figure 7-8 on page 7-31.)
ACE Syntax
(Legacy VSA-
61)
HP-Nas-filter-Rule=”< permit | deny > in <ip | ip-protocol-value > from any to
< any | host < ip-addr > | ipv4-addr/mask > [ < tcp/udp-port | tcp/udp-port range > | icmp-type ] [cnt ]”
Nas-filter-Rule =
: Standard attribute for filtering inbound IPv4 traffic from an authenticated
client. When used without the HP VSA option (below) for filtering inbound IPv6 traffic
from the client, drops the IPv6 traffic. Refer also to table 7-7, “Nas-Filter-Rule Attribute
Options” on page 7-23.
[ HP-Nas-Rules-IPv6=< 1 | 2 >]: HP VSA used in an ACL intended to filter IPv6 traffic. Settings
include:
1: ACE filters both IPv4 and IPv6 traffic.
2: ACE filters IPv4 traffic and drops IPv6 traffic.
VSA not used: ACE filters IPv4 traffic and drops IPv6 traffic.
This VSA must be present in an ACL where the Nas-filter-Rule= attribute is intended to
filter inbound IPv6 traffic from an authenticated client. Refer also to table 7-7, “Nas-Filter-
Rule Attribute Options” on page 7-23.
HP-Nas-filter-Rule = : Legacy HP VSA for filtering inbound IPv4 traffic only from an
authenticated client. Drops inbound IPv6 traffic from the client. Refer also to table 7-7,
“Nas-Filter-Rule Attribute Options” on page 7-23.
. . . : Must be used to enclose and identifies a complete permit or deny ACE syntax
statement. For example: Nas-filter-Rule=”deny in tcp from any to 0.0.0.0/0 23”
< permit | deny >: Specifies whether to forward or drop the identified IP traffic type from the
authenticated client. (For information on explicitly permitting or denying all inbound IP
traffic from an authenticated client, or for implicitly denying all such IP traffic not already
permitted or denied, refer to “Configuration Notes” on page 7-34.)
in: Required keyword specifying that the ACL applies only to the traffic inbound from the
authenticated client.
< ip | ip-protocol-value >: Options for specifying the type of traffic to filter.
ip: Applies the ACE to all IP traffic from the authenticated client.
ip-protocol-value: This option applies the ACE to the type of IP traffic specified by either
a protocol number or by
tcp, udp, icmp, or (for IPv4-only) igmp. The range of protocol
numbers is 0-255. (Protocol numbers are defined in RFC 2780. For a complete listing,
refer to “Protocol Registries” on the Web site of the Internet Assigned Numbers
Authority at www.iana.com.) Some examples of protocol numbers include:
1 = ICMP 17 = UDP
2 = IGMP (IPv4 only) 41 = IPv6
6 = TCP

Table of Contents

Related product manuals