EasyManua.ls Logo

ProCurve 2610 - How a RADIUS Server Applies a Dynamic Port ACL; To a Switch Port

ProCurve 2610
454 pages
Save Page as PDF
Print Icon
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
Dynamic Port ACLs Static Port ACLs
Requires client authentication by a RADIUS server No client authentication requirement.
configured to dynamically assign an ACL to the client port,
based on client credentials.
ACEs allow a counter (cnt) option that causes a counter to ACEs allow a log option that generates a log message
increment when there is a packet match. whenever there is a packet match with a “deny” ACE.
Caution Regarding
the Use of Source
Routing
Source routing is enabled by default on the switch and can be used to override
ACLs. For this reason, if you are using ACLs to enhance network security, the
recommended action is to use the no ip source-route command to disable
source routing on the switch. (If source routing is disabled in the running-
config file, the show running command includes “no ip source-route” in the
running-config file listing.)
How a RADIUS Server Applies a Dynamic Port ACL
to a Switch Port
A dynamic port ACL configured on a RADIUS server is identified and invoked
by the unique credentials (username/password pair or a client MAC address)
of the specific client the ACL is designed to service. Where the username/
password pair is the selection criteria, the corresponding ACL can also be used
for a group of clients that all require the same ACL policy and use the same
username/password pair. Where the client MAC address is the selection
criteria, only the client having that MAC address can use the corresponding
ACL. When a RADIUS server authenticates a client, it also assigns the ACL
configured with that client’s credentials to the port. The ACL then filters the
client’s inbound IP traffic and denies (drops) any such traffic that is not
explicitly permitted by the ACL. (Every ACL ends with an implicit deny in ip
from any to any (“deny any any”) ACE that denies IP traffic not specifically
permitted by the ACL.) When the client session ends, the switch removes the
dynamic port ACL from the client port.
6-12

Table of Contents

Related product manuals