KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

211

212

213

214

215

216

217

218

219

220

be applied for each authenticated client. Inbound IP traffic from any client whose authentication

does not result in a RADIUS-assigned ACL will be blocked and the client will be deauthenticated.

Also, if 802.1X port-based access is configured on the port, only one client can be

authenticated on the port at any given time. In this case, no other inbound client traffic is

allowed.

Configuring an ACL in a RADIUS server

The following information provides general guidelines for configuring a RADIUS server to specify

RADIUS-assigned ACLs. It also provides an example configuration for a FreeRADIUS server

application. To configure services on a specific RADIUS server application, see the documentation

provided with that application.

NOTE: This application requires a RADIUS server having an IPv4 address. Clients can be

dual-stack, IPv4-only or IPv6-only.

A RADIUS-assigned ACL configuration in a RADIUS server includes the following elements:

• Nas-Filter-Rule attributes — standard and vendor-specific

• ACL configuration, entered in the server, and associated with specific username/password

or MAC address criteria, and comprised of ACEs entered in the server

A RADIUS-assigned ACL includes:

• One or more explicit permit and/or deny ACEs

• An implicit deny in ip from any to any ACE automatically applied after the last

operator-created ACE

Nas-Filter-Rule-Options

Table 22 Nas-Filter-Rule Attribute Options

Control method and operating notesService

Standard Attribute: 92ACLs Applied to Client Traffic

Inbound to the Switch

Beginning with software release K.14.01, this is the preferred attribute for use

in RADIUS-assigned ACLs to configure ACEs to filter IPv4 and IPv6 traffic.Assigns a RADIUS-configured ACL to

filter inbound packets received from

Entry for IPv4-Only ACE To Filter Client Traffic:

a specific client authenticated on a

switch port.

Nas-filter-Rule="< permit or deny ACE > "(Standard Attribute 92)

For example:

Nas-filter-Rule=permit in tcp from any to any

Entries for IPv4/IPv6 ACE To Filter Client Traffic:

HP-Nas-Rules-IPv6 <1 2> (VSA, where 1=IPv4 and IPv6 traffic,

and 2=IPv4-only traffic.)

c Nas-filter-Rule="<permit or deny ACE> "(Standard Attribute 92)

For example:

HP-Nas-Rules-IPv6=1

Nas-filter-Rule="permit in tcp from any to any"

Note: If

HP-Nas-Rules-IPv6

is set to 2 or is not present in the ACL,IPv6 traffic from the client will be dropped.

For details on the IPv6 option, see “Nas-Filter-Rule-Options” (page 220).

HP-Nas-Rules-IPv6: 63 (Vendor-Specific Attribute)Set IP Mode

When using the standard attribute (92) described above in a RADIUS-assigned

ACL to support both IPv4 and IPv6 traffic inbound from an authenticated client,

Used with the Nas-filter-Rule attribute

described above to provide IPv6

traffic-filtering capability in an ACE.

220 RADIUS server support for switch services