KB.15.15

Figure 152 Switch identity information for a freeRADIUS application

3. For a given client username/password pair or MAC address, create an ACL by entering one

or more ACEs in the FreeRADIUS "users" file. Remember that every ACL created automatically

includes an implicit deny in ip from any to any ACE.

For example, to create identical ACL support for the following:

• Client having a username of "mobilE011" and a password of "run10kFast"

• Client having a MAC address of 08 E9 9C 4F 00 19

The ACL in this example must achieve the following:

• Permit http (TCP port 80) traffic from the client to the device at 10.10.10.101

• Deny http (TCP port 80) traffic from the client to all other devices

• Permit all other traffic from the client to all other devices

NOTE: For information on syntax details for RADIUS-assigned ACLs, see “Using HP VSA 63

to assign IPv6 and IPv4 ACLs” (page 204).

To configure the above ACL, enter the username/password and ACE information shown in

Figure 153 (page 204).

Figure 153 Configuring the FreeRADIUS server to support ACLs for the indicated clients

Using HP VSA 63 to assign IPv6 and IPv4 ACLs

The ACL VSA HP-Nas-Rules-IPv6=1 is used in conjunction with the standard attribute

(Nas-Filter-Rule) for ACL assignments filtering both IPv6 and IPv4 traffic inbound from an

authenticated client. For example, to use these attributes to configure a RADIUS-assigned ACL on

a FreeRADIUS server to filter both IPv6 and IPv4 ACLs, perform these steps:

204 RADIUS server support for switch services