Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N1500 Series
291292293294295296297298299300
Authentication, Authorization, and Accounting 297
Dynamic ACLs using the Filter-ID syntax are always enabled.
Filter-ID syntax:
Named ACL - printable character string of the form <ACLNAME>,
<Direction>, for example, Filter-id="test_static.in"
Filter-ID example:
Named_ACL - printable character string of the form Filter-id=
"test_static.in"
Preconfigured or Dynamic ACLs
The switch also supports the application of preconfigured ACLs or the
configuration and application of dynamically-created Access Lists to an
802.1X authenticated port as presented in a series of Cisco VSA (009/001) av-
pair (26) attributes in a RADIUS Access-Accept. If dynamic ACL capability is
not enabled, VSA 26 attributes are ignored as if they are not present in the
message and authentication proceeds in the normal manner. Other RADIUS
attributes (for example, Tunnel-Medium-Type, Tunnel-Type, Tunnel-Private-
Group-ID, and so on) are processed in the normal manner.
Dynamic ACLs using the VSA AV-Pair syntax may be enabled by configuring
the radius server vsa send authentication command.
The switch will configure the rules in IPv4 or IPv6 Extended Access Lists
named IP-DACL-IN-<port id>#d where <port-id> is the user
presentable short form port name, such as Te1/0/1. The corresponding IPv6
naming convention is IPV6-DACL-IN-<port-id>#d. DACLs for Voice
VLAN are named IP-V-DACL-IN-<port id>#d. Note that the # sign is not
an acceptable character for an ACL name which prevents the DACL from
being edited or removed via the UI. The original ACL, if any, is restored to the
port after the 802.1X session terminates. Only ingress ACLs are supported.
If there is an error applying the ACL to the port, a WARN log message
indicating same is issued (Interface X/X/X not authorized.
Application of downloaded ACL XXX did not complete due
to resource exhaustion) and the Access-Accept is treated as an
Access-Reject. The port is not authorized. Any previously configured ACLs
are added back to the port. If Accounting is enabled, the Acct-Start packet is
not sent and an EAP-Failure packet is sent to the 802.1X client.
The VSA av-pair is coded as follows: Attribute 26, Vendor ID 9, Vendor type 9.