KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

211

212

213

214

215

216

217

218

219

220

NOTE:

Implicit Deny

Every RADIUS-assigned ACL ends with an implicit deny inACE for both IPv4 and IPv6 traffic.

This implicit ACE denies any IP traffic that is not specifically permitted. To override this default,

configure an explicit permit in ip from any to any as the ACL's last explicit ACE.

Multiple clients in a RADIUS-assigned ACL environment

Where multiple clients are authenticated on the same port, if any of the clients has a

RADIUS-assigned ACL, then all of the authenticated clients on the port must have a

RADIUS-assigned ACL. In this case, the switch drops the IP traffic from any authenticated client

that does not have a RADIUS-assigned ACL, and deauthenticates that client.

Multiple clients sharing the same RADIUS-assigned ACL

When multiple clients supported by the same RADIUS server use the same credentials, they will all

be serviced by different instances of the same ACL. (The actual IP traffic inbound from any client

on the switch carries a source MAC address unique to that client. The RADIUS-assigned ACL uses

this MAC address to identify the traffic to be filtered.)

Effect of multiple ACL application types on an interface

The switch allows simultaneous use of all supported ACL application types on an interface. Thus,

a static ACL assigned to an interface filters authenticated client traffic, regardless of whether a

RADIUS-assigned ACL is also filtering the client's traffic. For more information, see “Multiple ACLs

on an interface” (page 310).

General ACL features, planning, and configuration

These steps suggest a process for using RADIUS-assigned ACLs to establish access policies for

client IP traffic.

1. Determine the polices you want to enforce for authenticated client traffic inbound on the switch.

2. Plan ACLs to execute traffic policies:

• Apply ACLs on a per-client basis where individual clients need different traffic policies

or where each client must have a different username/password pair or will authenticate

using MAC authentication.

• Apply ACLs on a client group basis where all clients in a given group can use the same

traffic policy and the same username/password pair.

3. Configure the ACLs on a RADIUS server accessible to the intended clients.

4. Configure the switch to use the desired RADIUS server and to support the desired client

authentication scheme. Options include 802.1X, web-based authentication, or MAC

authentication. (Note that the switch supports the option of simultaneously using 802.1X with

either web-based or MAC authentication.)

5. Test client access on the network to ensure that your RADIUS-assigned ACL application is

properly enforcing your policies.

For further information common to all IPv4 or IPv6 ACL applications, see the IPv4 Configuration

Guide or IPv6 Configuration Guide for your switch.

218 RADIUS server support for switch services