RADIUS Authentication and Accounting
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
It is important to remember that RADIUS-based ACLs include an implicit
“deny IP any any”. That is, packets received inbound from an authenticated
client that the ACL does not explicitly permit or deny will be implicitly
denied, and therefore dropped instead of forwarded. If you want the port to
permit all inbound IP traffic (from the authenticated client) that the ACL does
not explicitly permit or deny, insert a permit in ip from any to any (“permit any
any”) as the last explicit entry in the ACL.
Overriding the Implicit “deny IP any any”. If you want an ACL to permit
any routed packets that are not explicitly denied by other entries in the ACL,
you can do so by configuring a permit any entry as the last entry in the ACL.
Doing so permits any packet not explicitly denied by earlier entries.
General Steps
These steps suggest a process for using ACLs to establish client access
policies. The topics following this section provide details.
1. Determine the polices you want to enforce for client traffic inbound on
the switch.
2. Plan ACLs to execute traffic policies:
• Apply ACLs on a per-client basis where individual clients need differ-
ent traffic policies or where each client must have a different user-
name/password pair or will authenticate using MAC authentication.
• Apply ACLs on a client group basis where all clients in a given group
can use the same traffic policy and the same username/password pair.
3. Configure the ACLs on a RADIUS server accessible to the intended clients.
4. Configure the switch to use the desired RADIUS server and to support the
desired client authentication scheme. Options include 802.1X, Web
authentication, or MAC authentication. (Note that the switch supports the
option of simultaneously using 802.1X with either Web or MAC authenti
-
cation.)
5. Test client access on the network to ensure that your RADIUS-based ACL
application is properly enforcing your policies.
Determining Traffic Policies
This section assumes that the RADIUS server needed by a client for authenti-
cation and ACL assignments is accessible from any switch that authorized
clients may use.
6-33
To Next Page
Loading...
Need help?
General