Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
Note A RADIUS-assigned ACL assignment filters all inbound IP traffic from an
authenticated client on a port, regardless of whether the client’s IP traffic is
to be switched or routed.
RADIUS-assigned ACLs can be used either with or without PCM and IDM
support. (Refer to “Optional PCM and IDM Applications” on page 6-3.)
ACLs enhance network security by blocking selected IP traffic, and can serve
as one aspect of network security. However, because ACLs do not protect from
malicious manipulation of data carried in IP packet transmissions, they
should not be relied upon for a complete edge security solution.
The ACLs described in this section do not screen non-IP traffic such as
AppleTalk and IPX.
Contrasting Dynamic (RADIUS-Assigned) and
Static ACLs
Table 6-3 highlights several key differences between the static ACLs configu-
rable on switch ports, and the RADIUS-assigned ACLs that can be assigned to
individual ports by a RADIUS server.
Table 6-3. Contrasting Dynamic (RADIUS-Assigned) and Static ACLs
RADIUS-assigned ACLs Static Port ACLs
Configured in client accounts on a RADIUS server.
Designed for use on the edge of the network where filtering
of IP traffic entering the switch from individual,
authenticated clients is most important and where clients
with differing access requirements are likely to use the
same port.
Implementation requires client authentication.
Identified by the credentials (username/password pair or
the MAC address) of the specific client the ACL is intended
to service.
Supports dynamic assignment to filter only the IP traffic
entering the switch from an authenticated client on the port
to which the client is connected. (IP traffic can be routed or
switched, and includes IP traffic having a DA on the switch
itself.)
When the authenticated client session ends, the switch
removes the RADIUS-assigned ACL from the client port.
Configured on switch ports.
Designed for use where the filtering needs focus on static
configurations covering:
• switched or routed IP traffic entering the switch from
multiple sources or from unauthenticated sources
• IP traffic from multiple sources and having a destination
on the switch itself
Client authentication not a factor.
Identified by a number in the range of 1-199 or an
alphanumeric name.
Supports static assignments to filter switched or routed IP
traffic entering the switch, or routed IP traffic leaving the
switch.
Remains statically assigned to the port.
6-13
To Next Page
Loading...
Need help?
General