7-30
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
Note For information on syntax details for RADIUS-assigned ACLs, refer to the next 
section.
Figure 7-5. Example of Configuring the FreeRADIUS Server To Support ACLs for the Indicated Clients
Example Using HP VSA 63 To Assign IPv6 and/or IPv4 ACLs
The ACL VSA HP-Nas-Rules-IPv6=1 is used in conjunction with the standard 
attribute (Nas-Filter-Rule) for ACL assignments filtering both IPv6 and IPv4 
traffic inbound from an authenticated client. For example, to use these 
attributes to configure a RADIUS-assigned ACL on a FreeRADIUS server to 
filter both IPv6 and IPv4 ACL, you would do the following: 
1. Enter the following in the FreeRADIUS dictionary.hp file:
• HP vendor-specific ID
• ACL VSA for IPv6 ACLs (63)
• HP-Nas-Rules-IPv6 VALUE setting to specify both IPv4 and IPv6 (1)
Figure 7-6. Example: Configuring the VSA for RADIUS-Assigned IPv6 and IPv4 ACLs in a FreeRADIUS Server
 
 
mobilE011 Auth-Type:= Local, User-Password == run10kFast
           Nas-FILTER-Rule = “permit in tcp from any to host 10.10.10.101” 80,
           Nas-FILTER-Rule += “deny in tcp from any to any” 80,
           Nas-FILTER-Rule += “permit in ip from any to any”
 08E99C4F0019 Auth-Type:= Local, User-Password == 08E99C4F0019
           Nas-FILTER-Rule = “permit in tcp from any to host 10.10.10.101” 80,
           Nas-FILTER-Rule += “deny in tcp from any to any” 80,
           Nas-FILTER-Rule += “permit in ip from any to any”
Client’s Username (MAC Authentication)
Client’s Username (802.1X or Web Authentication)
Client’s Password (802.1X or Web Authentication)
Note that when the client MAC address is used for authentication,  it is used in both 
the username and password spaces in the entry.
Client’s Password (MAC Authentication)
VENDOR          HP     11
BEGIN-VENDOR    HP
ATTRIBUTE       HP-Nas-Rules-IPv6 63 INTEGER
END-VENDOR      HP
HP Vendor-Specific ID
Note: If you were also using the RADIUS server to administer 802.1p (CoS) priority and/or Rate-Limiting, you 
would also insert the ATTRIBUTE entries for these functions above the END-VENDOR entry.
VSA for RADIUS-Assigned IPv6 ACL 
option.