RADIUS Authentication and Accounting
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
Limit NotesItem
Where two authenticated clients are using RADIUS-based ACLs on
the same port, the total number of ACEs in both active sessions
cannot exceed the maximum.
Maximum Number of 80 —
Characters in a single
ACE
Maximum Number of 100 Depending on how an ACE is formed, using the cnt (counter) option consumes
(optional) Internal one or more internal counters. Using a counter in an ACE that does not specify
Counters Used Per- TCP or UDP port numbers uses one counter. Using a counter in an ACE that
Module includes TCP or UDP port numbers uses one or more counters, depending on the
port number groupings. A single TCP or UDP port number or a series of contig-
uous port numbers comprise one group. For example, “80” and “137-146” each
form one group. “135, 137-140, 143” in a given ACE form three groups. The
following ACE examples illustrate how the switch calculates internal counter
groups.
Examples of ACEs Employing Counters Internal
Counters
deny in ip from any to any cnt 1
deny in tcp from any to any cnt
1
deny in tcp from any to any 80 cnt
1
permit in tcp from any to any 135, 137-146, 445 cnt
3
permit in tcp from any to any 135-137, 139, 141, 143, 146, 445 cnt
6
permit in tcp from any to any 135-146, 445 cnt
2
■ Effect of VLAN-Based ACLs Configured on the Switch: A port
receiving a dynamic, RADIUS-based ACL assignment can also belong
to a VLAN for which there is an inbound ACL statically configured (on
the switch). In this case, an IP packet permitted by the RADIUS-based
ACL will also be filtered by the VLAN-based ACL if the inbound client
packets are routed or have a DA on the switch itself. If the RADIUS-
based ACL permits the packet, but the VLAN-based, inbound ACL
denies the packet, then the packet is dropped. If the RADIUS-based
ACL denies the packet, then the packet is dropped and does not reach
the VLAN-based, inbound ACL. (RADIUS-based ACLs operate only on
inbound IP traffic, and are not a factor for the traffic filtered by VLAN-
based, outbound ACLs.)
■ A RADIUS-Based ACL Affects Only the Inbound Traffic from a
Specific, Authenticated Client: A RADIUS-based ACL assigned to
a port as the result of a client authenticating on that port applies only
to the inbound traffic received on that port from that client. It does
not affect the traffic received from any other authenticated clients on
that port, and does not affect any outbound traffic on that port.
6-37
To Next Page
Loading...
