RADIUS Authentication and Accounting
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
General Operation
An ACL is a list of one or more Access Control Entries (ACEs), where each
ACE consists of a matching criteria and an action (permit or deny). These
ACEs are designed to control the network access privileges of an authenti
-
cated client. A RADIUS-based ACL applies only to the inbound traffic from
the client whose authentication triggers the ACL assignment to the client port.
How a RADIUS Server Applies a RADIUS-Based ACL to a Switch Port.
A RADIUS-based ACL configured on a RADIUS server is identified and
invoked by the unique credentials (username/password pair or a client MAC
address) of the specific client the ACL is designed to service. Where the
username/password pair is the selection criteria, the corresponding ACL can
also be used for a group of clients that all require the same ACL policy and use
the same username/password pair. Where the client MAC address is the
selection criteria, only the client having that MAC address can use the corre
-
sponding ACL. When a RADIUS server authenticates a client, it also assigns
the ACL configured with that client’s credentials to the port. The ACL then
filters the client’s inbound IP traffic and denies (drops) any such traffic from
the client that is not explicitly permitted by the ACL. (Every ACL ends with
an implicit deny in ip from any to any (“deny any any”) ACE that denies IP traffic
not specifically permitted by the ACL.) When the client session ends, the
switch removes the RADIUS-based ACL from the client port.
When multiple clients supported by the same RADIUS server use the same
credentials, they will all be serviced by different instances of the same ACL.
(The actual traffic inbound from any client on the switch carries a source MAC
address unique to that client. The RADIUS-based ACL uses this MAC address
to identify the traffic to be filtered.)
Notes On any ACL assigned to a port, there is an implicit deny in ip from any to any
(“deny any any”) command that results in a default action to deny any inbound
IP traffic that is not specifically permitted by the ACL. To reverse this default,
use an explicit “permit any” as the last ACE in the ACL.
On a given port, RADIUS-based ACL filtering occurs only for the inbound
traffic from the client whose authentication configuration on the server
includes a RADIUS-based ACL. Inbound traffic from another authenticated
client (on the same port) whose authentication configuration on the server
does not include a RADIUS-based ACL will not be filtered by a RADIUS-based
ACL assigned to the port for any other authenticated client.
6-29
To Next Page
Loading...
Need help?
General