Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
201202203204205206207208209210
3. For a given client username/password pair, create an ACL by entering one or more IPv6 and
IPv4 ACEs in the FreeRADIUS "users" file. Remember that the ACL created to filter both IPv4
and IPv6 traffic automatically includes an implicit deny in ip from any to any ACE at the end
of the ACL in order to drop any IPv4 and IPv6 traffic that is not explicitly permitted or denied
by the ACL. For example, to create ACL support for a client having a username of "Admin01"
and a password of "myAuth9". The ACL in this example must achieve the following:
Permit http (TCP port 80) traffic from the client to the device at FE80::a40.
Deny http (TCP port 80) traffic from the client to all other IPv6 addresses.
Permit http (TCP port 80) traffic from the client to the device at 10.10.10.117.
Deny http (TCP port 80) traffic from the client to all other IPv4 addresses.
Deny Telnet (TCP port 23) traffic from the client to any IPv4 or IPv6 addresses.
Permit all other IPv4 and IPv6 traffic from the client to all other devices.
To configure the above ACL, enter the username/password and ACE information, as shown
in this example:
Figure 156 Configuring a FreeRADIUS server to filter IPv4 and IPv6 traffic for a client with
correct credentials.
Using HP VSA 61 to assign IPv4 ACLs
Software release K.14.01 continues to support the HP VSA 61 vendor-specific method of earlier
releases for enabling RADIUS-based IPv4 ACL assignments on the switch. The recommended use
of this option is to support legacy ACL configurations that rely on VSA 61. Beginning with software
release K.14.01, HP recommends using the standard attribute (92) for new, RADIUS-based IPv4
ACLs, see 220, and 203.
This example uses the HP VSA attribute 61 for configuring RADIUS-assigned IPv4 ACL support on
FreeRADIUS for two different client identification methods (username/password and MAC address).
1. Enter the HP vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file:
Figure 157 Configuring the VSA for RADIUS-assigned IPv4 ACLs in a FreeRADIUS server
206 RADIUS server support for switch services