RADIUS Authentication and Accounting
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
ple, if client “X” is authenticated with a CoS of 5 and a rate-limit of 75%, and
client “Y” later becomes authenticated with a CoS of 3 and a rate-limit of 50%
while the session for client “X” is still active, then the port will operate with a
CoS of 3 and a rate-limit of 50% for both clients.
RADIUS-Assigned Access Control Lists
This feature uses RADIUS-assigned, per-port ACLs for Layer-3 filtering of
inbound IP traffic from authenticated clients. A given RADIUS-assigned ACL
is identified by a unique username/password pair or client MAC address, and
applies only to traffic from clients that authenticate with the same unique
credentials. ACL services for an authenticated client include filtering inbound
IP traffic based on destination and/or IP traffic type (such as TCP and UDP
traffic) and traffic counter options. Implementing the feature requires:
■ RADIUS authentication using the 802.1X, Web authentication, or MAC
authentication services available on the switch to provide client
authentication services
■ configuring the ACLs on the RADIUS server (instead of the switch),
and assigning each ACL to the username/password pair or MAC
address of the clients you want the ACLs to support
A RADIUS-assigned ACL is a type of extended ACL that filters IP traffic
inbound on a port from any source (and, optionally, of any specific IP appli-
cation or protocol type) to a single destination IP address, a group of contig-
uous IP addresses, an IP subnet, or any IP destination.
This feature is designed to accept dynamic configuration of a RADIUS-based
ACL on an individual port on the network edge to filter traffic from an
authenticated end-node client. Using RADIUS to apply per-port ACLs to edge
ports enables the switch to filter IP traffic coming from outside the network,
thus removing unwanted traffic as soon as possible and helping to improve
system performance. Also, applying RADIUS-assigned ACLs to ports on the
network edge is likely to be less complex than using VLAN-based ACLs in the
network core to filter unwanted traffic that could have been filtered at the
edge.
This feature enhances network and switch management access security by
permitting or denying authenticated client access to specific network
resources and to the switch management interface. This includes preventing
6-25
To Next Page
Loading...
