10-18
IPv4 Access Control Lists (ACLs)
Overview
802.1X User-Based and Port-Based Applications. User-Based 802.1X
access control allows up to 32 individually authenticated clients on a given
port. Port-Based access control does not set a client limit, and requires only
one authenticated client to open a given port (and is recommended for
applications where only one client at a time can connect to the port).
■ If you configure 802.1X user-based security on a port and the RADIUS
response includes a RADIUS-assigned ACL for at least one authenti-
cated client, then the RADIUS response for all other clients authen-
ticated on the port must also include a RADIUS-assigned ACL.
Inbound IP traffic on the port from a client that authenticates without
receiving a RADIUS-assigned ACL will be dropped and the client will
be de-authenticated.
■ Using 802.1X port-based security on a port where the RADIUS
response to a client authenticating includes a RADIUS-assigned ACL,
different results can occur, depending on whether any additional
clients attempt to use the port and whether these other clients initiate
an authentication attempt. This option is recommended for applica-
tions where only one client at a time can connect to the port, and not
recommended for instances where multiple clients may access the
same port at the same time. For more information, refer to “802.1X
Port-Based Access Control” in the chapter titled “Configuring Port-
Based and User-Based Access Control (802.1X)” in the latest Access
Security Guide for your switch.
Operating Notes.
■ For RADIUS ACL applications, the switch operates in a dual-stack
mode, and a RADIUS-assigned ACL can filter both IPv4 and IPv6
traffic. At a minimum, a RADIUS-assigned ACL automatically
includes the implicit deny for both IPv4 and IPv6 traffic. Thus, an ACL
configured on a RADIUS server to filter IPv4 traffic will also deny
inbound IPv6 traffic from an authenticated client unless the ACL
includes ACEs that permit the desired IPv6 traffic. The reverse is true
for a dynamic ACL configured on RADIUS server to filter IPv6 traffic.
(ACLs are based on the MAC address of the authenticating client.)
Refer to chapter 7, “Configuring RADIUS Server Support for Switch
Services”.
■ To support authentication of IPv6 clients:
• The VLAN to which the port belongs must be configured with an IPv6
address.
• Connection to an IPv6-capable RADIUS server must be supported.
To Next Page
Loading...
