KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

211

212

213

214

215

216

217

218

219

220

The packet-filtering process

Packet-filtering in an applied ACL is sequential, from the first ACE in the ACL to the implicit deny

any any following the last explicit ACE. This operation is the same regardless of whether the ACL

is applied dynamically from a RADIUS server or statically in the switch configuration.

CAUTION: ACLs can enhance network security by blocking selected IP traffic, and can serve as

one aspect of maintaining network security. However, because ACLs do not provide user or device

authentication, or protection from malicious manipulation of data carried in IP packet transmissions,

they should not be relied upon for a complete security solution.

NOTE:

If a RADIUS-assigned ACL permits an authenticated client's inbound IP packet, but the client port

is also configured with a static port ACL and/or belongs to a VLAN for which there is an inbound,

VLAN-based ACL configured on the switch, then the packet will also be filtered by these other

ACLs. If there is a match with a deny ACE in any of these ACLs, the switch drops the packet.

Operating rules for RADIUS-assigned ACLs

• Relating a client to a RADIUS-assigned ACL

A RADIUS-assigned ACL for a particular client must be configured in the RADIUS server under

the authentication credentials the server should expect for that client. If the client must

authenticate using 802.1X and/or web-based authentication, the username/password pair

forms the credential set. If authentication is through MAC Authentication, then the client MAC

address forms the credential set. See “Configuring an ACL in a RADIUS server” (page 220).

• Multiple clients using the same username/password pair

Multiple clients using the same username/password pair will use duplicate instances of the

same ACL.

• Limits for ACEs in RADIUS-assigned ACLs

The switch supports up to 80 characters in a single ACE. Exceeding this limit causes the related

client authentication to fail.

• Effect of other, statically configured ACLs

Suppose that port B1 belongs to VLAN "Y" and has a RADIUS-assigned ACL to filter inbound

traffic from an authenticated client. Port B1 is also configured with IPv4 and IPv6 static port

ACLs, and VLAN "Y" is statically configured with IPv4 and IPv6 VACLs.

• IP traffic entering the switch on port B1 from the client and having a match with a deny

ACE configured in any of the ACLs mentioned above will be dropped.

• If an inbound RACL was also configured on VLAN "Y", then a deny match in the RACL

would apply to any inbound, routed IPv4 traffic from the client (and to any inbound,

switched traffic having a destination on the switch itself).

• If an outbound RACL was also configured on VLAN "Y", then any outbound, routed IPv4

traffic leaving the switch through the port B1 would be filtered by the outbound RACL.

• Effect of RADIUS-assigned ACLs on inbound traffic for multiple clients on the same port

On a port configured for 802.1X user-based access where multiple clients are connected, if

a given client's authentication results in a RADIUS-assigned ACL, then the authentication of

any other client concurrently using the port must also include a RADIUS-assigned ACL. Thus,

if a RADIUS server is configured to assign a RADIUS-assigned ACL when client "X"

authenticates, but is not configured to do the same for client "Y" on the same port, then traffic

from client "Y" will be blocked whenever client "X" is authenticated on the port (and client

"Y" will be deauthenticated). For this reason, if multiple clients are authenticated on a port,

a separate RADIUS-assigned ACL (or a separate assignment instance of the same ACL) must

Overview 219