Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsNetworking S3100 Series

691

692

693

694

695

696

697

698

699

700

Standard compliance

Dell EMC Networking OS complies to the following standards:

• RFC4849 for RADIUS NAS-Filter-Rule attribute

• RFC2865 For Filter-Id attribute

Configuration notes

Consider the following when configuring RADIUS-assigned DACL in the switch:

• RADIUS-assigned DACLs are applicable only for the inbound traffic on a specific port of the switch or supplicant.

• NAS supports unique session based on RADIUS-assigned DACLs using the MAC address of the 802.1x client.

• RADIUS-assigned DACLs and ACLs configured through the OS9 CLI can coexist. RADIUS-assigned DACLs takes higher precedence

over the L3 ACL configured using OS9 CLI.

• IPv6 NAS-Filter-Rule attributes are not supported as part of Radius-assigned DACLs.

• Change of Authorization (CoA) Action requests on the RADIUS NAS-Filter-Rule Attributes are not supported.

• The attributes in RADIUS NAS-Filter-Rule supports only the L3 options.

• The RADIUS-assigned DACLs are implicit permit. You can configure an implicit deny rule deny ip any any explicitly to block all

other traffic.

• The maximum size of the RADIUS-assigned DACLs through NAS-Filter-Rule attribute is 4000 characters. It can be a single rule or

multiple rules.

• The names of ACLs configured using the OS9 CLI must be different from the name of the RADIUS-assigned DACLs downloaded from

the RADIUS server.

• After switch failover, you must do the following on the interface before changing any dot1x related configurations:

1. Shutdown the interface using shutdown command

2. UP the interface using no shutdown command

Allocate CAM for RADIUS-assigned DACL

Allocate the CAM region to use the RADIUS-assigned DACL. Reload the switch for the CAM allocation to take effect.

To allocate a CAM region for RADIUS-assigned DACL, use the cam-acl command. Enter the radius-v4acl allocation as a factor of 2

(2,4,6,8). The maximum number of FP blocks allocated for RADIUS-assigned DACLs is 8.

NOTE:

Dell EMC Networking OS displays an error when a CAM region is not allocated for RADIUS-assigned DACLs and

does not authenticate the supplicant.

To allocate the space for RADIUS-assigned DACL, use the following command:

Allocate a CAM region to apply RADIUS-assigned DACL.

EXEC mode

cam-acl {default | l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt

number ipmacacl number vman-qos | vman-dual-qos number ecfmacl number nlbcluster number ipv4pbr

number openflow number | fcoe number iscsioptacl number [vrfv4acl number] radius-v4acl number

The maximum ACL entries supported are 1024.

To verify the CAM allocated for RADIUS-assigned DACL, use show cam-acl command.

DellEMC#show cam-acl

-- Chassis Cam ACL --

Current Settings(in block sizes)

1 block = 256 entries

L2Acl : 2

Ipv4Acl : 4

Ipv6Acl : 2

Ipv4Qos : 2

L2Qos : 1

L2PT : 0

IpMacAcl : 0

VmanQos : 0

EcfmAcl : 0

iscsiOptAcl : 0

ipv4pbr : 0

vrfv4Acl : 0

Openflow : 0

692

Security