RADIUS Authentication and Accounting
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
• Any IP address
■ Where the traffic type is either TCP or UDP, the ACE can optionally
include one or more TCP or UDP port numbers.
The following syntax and operating information refers to ACLs configured in
a RADIUS server.
ACE Syntax: < permit | deny > in < ip | ip-protocol-value > from any to < ip-addr > [/< mask > ] | > [ tcp/udp-ports] [cnt ]
< permit | deny >: Specifies whether to forward or drop the identified IP traffic type from the
authenticated client.
in: Required keyword specifying that the ACL applies only to the traffic inbound from the
authenticated client.
< ip | ip-protocol-value >: Options for specifying the type of traffic to filter.
ip: This option applies the ACL to all IP traffic from the authenticated client.
ip-protocol-value: This option applies the ACL to the type of IP traffic specified by either
a protocol number or by
tcp or udp. The range of protocol numbers is 0-255, and you
can substitute 6 for TCP or 17 for UDP. (Protocol numbers are defined in RFC 2780.
For a complete listing, refer to “Protocol Numbers” under “Protocol Number Assign-
ment Services” on the Web site of the Internet Assigned Numbers Authority at
www.iana.com.) Some examples of protocol numbers include:
1 = ICMP 17 = UDP
2 = IGMP 41 = IPv6
6 = TCP
from any: Required keywords specifying the (authenticated) client source. (Note that a
RADIUS-Based ACL assigned to a port filters only the inbound traffic having a source
MAC address that matches the MAC address of the client whose authentication invoked the
ACL assignment.)
to : Required destination keyword.
< ip-addr >: Specifies a single destination IP address.
< ip-addr /< mask >: Specifies a series of contiguous destination IP addresses or all
destination IP addresses in a subnet. The < mask > is CIDR notation for the number
of leftmost bits in a packet’s destination IP address that must match the corre
-
sponding bits in the destination IP address listed in the ACE. For example, a
destination of 10.100.17.1/24 in the ACE means that a match occurs when an
inbound packet (of the designated IP type) from the authenticated client has a
destination IP address where the first three octets are 10.100.17. (The fourth octet is
a wildcard, and can be any value up to 255.)
any: Specifies any IP destination address. Use this option when you want the ACL
action to apply to all traffic of the designated type, regardless of destination.
6-41
To Next Page
Loading...
Need help?
General