Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x

1021

992 PowerConnect B-Series TI24X Configuration Guide

53-1002269-02

Configuring multi-device port authentication

Configuring the RADIUS server to support dynamic IP ACLs

When a port is authenticated using multi-device port authentication, an IP ACL filter that exists in

the running-config file on the device can be dynamically applied to the port. To do this, you

configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the

name or number of the IP ACL.

The following is the syntax for configuring the Filter-ID attribute on the RADIUS server to refer to a IP

ACL.

The following table lists examples of values you can assign to the Filter-ID attribute on the RADIUS

server to refer to IP ACLs configured on a device.

Enabling denial of service attack protection

The Dell device does not start forwarding traffic from an authenticated MAC address in hardware

until the RADIUS server authenticates the MAC address; traffic from the non-authenticated MAC

addresses is sent to the CPU. A denial of service (DoS) attack could be launched against the

device where a high volume of new source MAC addresses is sent to the device, causing the CPU to

be overwhelmed with performing RADIUS authentication for these MAC addresses. In addition, the

high CPU usage in such an attack could prevent the RADIUS response from reaching the CPU in

time, causing the device to make additional authentication attempts.

To limit the susceptibility of the device to such attacks, you can configure the device to use multiple

RADIUS servers, which can share the load when there are a large number of MAC addresses that

need to be authenticated. The device can run a maximum of 10 RADIUS clients per server and will

attempt to authenticate with a new RADIUS server if current one times out.

In addition, you can configure the device to limit the rate of authentication attempts sent to the

RADIUS server. When the multi-device port authentication feature is enabled, it keeps track of the

number of RADIUS authentication attempts made per second. When you also enable the DoS

protection feature, if the number of RADIUS authentication attempts for MAC addresses learned on

an interface per second exceeds a configurable rate (by default 512 authentication attempts per

second), the device considers this a possible DoS attack and disables the port. You must then

manually re-enable the port.

The DoS protection feature is disabled by default. To enable it on an interface, enter commands

such as the following.

Table 12:

Value Description

ip.<number>.in

1. The ACL must be an extended ACL. Standard ACLs are not supported.

Applies the specified numbered ACL to the authenticated port in the inbound direction.

ip.<name>.in

2. The <name> in the Filter ID attribute is case-sensitive

Applies the specified named ACL to the authenticated port in the inbound direction.

Table 13:

Possible values for the filter ID attribute on the

RADIUS server

ACLs configured on the Dell device

ip.102.in access-list 102 permit ip 36.0.0.0 0.255.255.255 any

ip.fdry_filter.in ip access-list standard fdry_filter

permit host 36.48.0.3