Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
3. Configure the ACLs on a RADIUS server accessible to the intended clients.
4. Configure the switch to use the desired RADIUS server and to support the
desired client authentication scheme. Options include 802.1X, Web
authentication, or MAC authentication. (Note that the switch supports the
option of simultaneously using 802.1X with either Web or MAC authenti-
cation.)
5. Test client access on the network to ensure that your RADIUS-assigned
ACL application is properly enforcing your policies.
For further information common to all ACL applications, refer to the following
sections in chapter 9, “IPv4 Access Control Lists (ACLs)”:
■ “Features Common to All ACLs” on page 9-11
■ “General Steps for Planning and Configuring ACLs” on page 9-12
The Packet-filtering Process
Packet-Filtering in an applied ACL is sequential, from the first ACE in the ACL
to the implicit “deny any” following the last explicit ACE. This operation is the
same regardless of whether the ACL is applied dynamically from a RADIUS
server or statically in the switch configuration.
Note If a RADIUS-assigned ACL permits an authenticated client’s inbound IP
packet, but the client port is also configured with a static port ACL, then the
packet will also be filtered by these other ACLs. If there is a match with a deny
ACE in any of these ACLs, the switch drops the packet.
Caution ACLs can enhance network security by blocking selected IP traffic, and can
serve as one aspect of maintaining network security. However, because ACLs
do not provide user or device authentication, or protection from malicious
manipulation of data carried in IP packet transmissions, they should not
be relied upon for a complete security solution.
Operating Rules for RADIUS-Assigned ACLs
■ Relating a Client to a RADIUS-Assigned ACL: A RADIUS-assigned
ACL for a particular client must be configured in the RADIUS server under
the authentication credentials the server should expect for that client. (If
the client must authenticate using 802.1X and/or Web Authentication, the
username/password pair forms the credential set. If authentication is
6-16
To Next Page
Loading...
