Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
Configuration Notes
Explicitly Permitting Any IP Traffic. Entering a permit in ip from any to any
(permit any any) ACE in an ACL permits all IP traffic not previously permitted
or denied by that ACL. Any ACEs listed after that point do not have any effect.
Explicitly Denying Any IP Traffic. Entering a deny in ip from any to any
ACE in an ACL denies all IP traffic not previously permitted or denied by that
ACL. Any ACEs listed after that point have no effect.
Implicitly Denying Any IP Traffic. For any packet being filtered by a
static port ACL, there will always be a match. That is, any packet that does
not have a match with an explicit permit or deny ACE in the list will match
with the implicit deny in ip from any to any that is automatically implied at the
end of the list. Thus, the ACL denies any IP packet it filters that does not match
any explicitly configured ACE. If you want an ACL to permit any packets that
are not explicitly denied, you must configure permit in ip from any to any as the
last explicit ACE in the ACL. This permit any any only applies to an authenti-
cated user. It pre-empts the implicit deny in ip from any to any ACE and permits
packets not explicitly permitted or denied by earlier ACEs in the list.
Configuring the Switch To Support RADIUS-Assigned
ACLs
An ACL configured in a RADIUS server is identified by the authentication
credentials of the client or group of clients the ACL is designed to support.
When a client authenticates with credentials associated with a particular ACL,
the switch applies that ACL to the switch port the client is using. To enable
the switch to forward a client’s credentials to the RADIUS server, you must
first configure RADIUS operation and an authentication method on the switch.
1. Configure RADIUS operation on the switch:
Syntax: radius-server host < ip-address > key < key-string >
This command configures the IP address and encryption key of a
RADIUS server. The server should be accessible to the switch and
configured to support authentication requests from clients using the
switch to access the network. For more on RADIUS configuration,
refer to chapter 5, “RADIUS Authentication and Accounting”.
2. Configure RADIUS network accounting on the switch (optional). RADIUS
network accounting is necessary to retrieve counter information if the cnt
(counter) option is included in any of the ACEs configured on the RADIUS
server.
Syntax: aaa accounting network < start-stop | stop-only > radius
6-24
To Next Page
Loading...
Need help?
General
