Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
Elements in a RADIUS-assigned ACL Configuration. A RADIUS-
assigned ACL configuration in a RADIUS server has the following elements:
■ vendor and ACL identifiers:
• ProCurve (HP) Vendor-Specific ID: 11
• Vendor-Specific Attribute for ACLs: 61 (string = HP-IP-FILTER-RAW)
• Setting: HP-IP-FILTER-RAW = < “permit” or “deny” ACE >
(Note that the “string” value and the “Setting” specifier are identical.)
■ ACL configuration, including:
• one or more explicit “permit” and/or “deny” ACEs created by the
system operator
• implicit deny any any ACE automatically active after the last operator-
created ACE
Nas-Filter-Rule-Options
Table 6-4. Nas-Filter-Rule Attribute Options
Service Control Method and Operating Notes:
ACLs Applied to Client
Traffic Inbound to the
Switch
Assigns a RADIUS-
configured ACL to
filter inbound packets
received from a
specific client
authenticated on a
switch port.
Standard Attribute: 92
This is the preferred attribute for use in RADIUS-assigned ACLs to configure ACEs to filter IPv4
traffic.
Entry for IPv4-Only ACE To Filter Client Traffic:
Nas-filter-Rule = “< permit or deny ACE >” (Standard Attribute 92)
For example:
Nas-filter-Rule=”permit in tcp from any to any”
ACLs Applied to Client
Traffic Inbound to the
Switch
Assigns a RADIUS-
configured IPv4 ACL
to filter inbound IPv4
packets received from
a specific client
authenticated on a
switch port.
HP-Nas-Filter-Rule (Vendor-Specific Attribute): 61
This attribute is maintained for legacy purposes to support ACEs in RADIUS-assigned ACLs.
However, for new or updated configurations HP recommends using the Standard Attribute (92)
described earlier in this table instead of the HP-Nas-filter-Rule attribute described here.
HP (ProCurve) vendor-specific ID: 11
VSA: 61 (string = HP-Nas-Filter-Rule
Setting: HP-Nas-filter-Rule = “< permit or deny ACE >”
6-18
To Next Page
Loading...
