Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
221222223224225226227228229230
Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=1
See Table 22 (page 220) for information on the above attributes.
Explicitly permit only the IPv4 traffic from an authenticated client
Any of the following three options for ending a RADIUS-assigned ACL explicitly permit all of the
client's inbound IPv4 traffic not previously permitted or denied. These options also deny any of the
client's IPv6 traffic not previously permitted or denied.
Nas-filter-Rule += permit in ip from any to any
(Using this attribute to permit IPv4 traffic from the client while denying any IPv6
traffic from the client assumes that HP-Nas-Rules-IPv6=1does not exist elsewhere
in the ACL. See Table 22 (page 220) for more on HP-Nas-Rules-IPv6.)
HP-Nas-Filter-Rule += permit in ip from any to any
Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=2
Explicitly denying inbound traffic from an authenticated client
Any of the following three options for ending a RADIUS-assigned ACL explicitly deny all of the
client's inbound IPv4 and IPv6 traffic not previously permitted or denied.
Nas-filter-Rule += deny in ip from any to any
HP-Nas-Filter-Rule += deny in ip from any to any
Nas-filter-Rule += deny in ip from any to any HP-Nas-Rules-IPv6=2
Implicitly denying any IP traffic
For any packet being filtered by a RADIUS-assigned ACL, there will always be a match. That is,
any packet that does not have a match with an explicit permit or deny ACE in the list will match
with the implicit deny any any ACE automatically included at the end of the ACL. That is, a
RADIUS-assigned ACL includes an implicit deny in ip from any to any ACE at the end of
the ACL to deny any IPv4 and IPv6 traffic not previously permitted or denied.
Monitoring shared resources
Currently active, RADIUS-based authentication sessions (including HP IDM client sessions) using
RADIUS-assigned ACLs share internal switch resources with several other features. The switch
provides ample resources for all features. However, if the internal resources do become fully
subscribed, new RADIUS-based sessions using RADIUS-assigned ACLs cannot be authenticated
until the necessary resources are released from other applications.
For information on determining the current resource availability and usage, see “Monitoring
Resources" in the Management and Configuration Guide for your switch.
For a summary of ACL resource limits, see the topics covering scalability in the latest
Management and Configuration Guide for your switch.
Event log messages
See the Event Log Message Reference Guide for information about Event Log messages.
Overview 225