Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N1500 Series
291292293294295296297298299300
296 Authentication, Authorization, and Accounting
Note that 802.1X auto mode ports are restricted to a single data device and a
single voice device by default. This restriction is enforced by implicitly
filtering incoming traffic based upon the MAC address of the authenticating
client.
DACLs contained in an 802.1X re-authentication Access-Accept replace the
DACLs instantiated in the existing session. DACLs are never applied to hosts
authenticated into the Guest or Unauthenticated VLAN. DACLs are
compatible with RADIUS VLAN assignment.
Filter-ID Support
The switch supports the association of preconfigured access-lists to an 802.1X
authenticated port as presented in the IETF Filter-ID (11) RADIUS attribute
(RFC 2865) in an Access-Accept message if configured to accept same. The
port must be configured in 802.1X auto mode. If DACL capability is not
enabled, or the port is not configured for 802.1X auto mode, Filter-ID
attributes are ignored (as if they are not present in the message) and
authentication proceeds in the normal manner. Other RADIUS attributes
(for example, Tunnel-Medium-Type, Tunnel-Type, Tunnel-Private-Group-ID,
and so on) are processed in the normal manner. The named ACL must exist
on the switch and can be of any ACL type (MAC, IPv4, or IPv6).
When the identified ACL is applied, all statically-configured ACLs on the
port are removed and the new ACL is configured prior to 802.1X authorizing
the port. When the 802.1X session terminates, the dynamic ACL is removed
and the pre-existing ACLs are restored to the port.
If no Access list exists matching the Filter-ID, the Access-Accept is treated as
an Access-Reject and the port is not authorized. A log message indicating
same is issued (Interface X/X/X not authorized. Filter-ID
XXXX selected by server x.y.z.x is not present on
switch). No Acct-Start packet is sent and an EAP-Failure is sent to the
802.1X client. Note that the name in a Filter-ID may be a number of an ACL
in the form of <ACL#.in>, such as 100.in. If both a Filter-ID and a Cisco
AV-Pair (26) are present in the Access-Accept, the Access-Accept is treated as
an Access-Reject and the port is not authorized. A log message indicating
same is issued (Interface X/X/X not authorized. RADIUS
Access-Accept/COA-Request contains both Filter-
ID(11)and AV-Pair(26)attributes). No Acct-Start packet is sent
and an EAP-Failure is sent to the 802.1X client.