Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N1500 Series
311312313314315316317318319320
312 Authentication, Authorization, and Accounting
vendor proprietary AV-Pair (26) ip:inacl or ipv6:inacl attribute are present in
the Access-Accept, the Access-Accept is treated as an Access-Reject and the
port is not authorized. A log message indicating same is issued (Interface
X/X/X not authorized. RADIUS Access-Accept/COA-
Request contains both Filter-ID(11)and AV-
Pair(26)attributes). No Acct-Start packet is sent and an EAP-Failure
is sent to the 802.1X client.
Dynamic ACLs using the Filter-ID syntax are always enabled.
Filter-ID syntax:
Named ACL - printable character string of the form <ACLNAME>.
<Direction>, for example, Filter-id="test_static.in"
Filter-ID example:
Named_ACL - printable character string of the form Filter-id=
"test_static.in".
Preconfigured or Dynamic ACLs
The switch also supports the application of preconfigured ACLs or the
configuration and application of dynamically-created Access Lists to an
802.1X authenticated port as presented in a series of vendor proprietary VSA
(009/001) AV-pair (26) attributes in a RADIUS Access-Accept. If dynamic
ACL capability is not enabled, VSA 26 attributes are ignored as if they are not
present in the message and authentication proceeds in the normal manner.
Other RADIUS attributes (for example, Tunnel-Medium-Type, Tunnel-Type,
Tunnel-Private-Group-ID, and so on) are processed in the normal manner.
Dynamic ACLs using the VSA AV-Pair syntax may be enabled by configuring
the radius server vsa send authentication command.
The switch will configure the rules in IPv4 or IPv6 Extended Access Lists
named IP-DACL-IN-<session-id># where <session-id> is the
user presentable 802.1X session suffix. The corresponding IPv6 naming
convention is IPV6-DACL-IN-<session-id>. Note that the # sign is
not an acceptable character for an ACL name which prevents the DACL from
being edited or removed via the UI. The original ACL, if any, is restored to the
port after the 802.1X session terminates. Only ingress ACLs are supported.
If there is an error applying the ACL to the port, a WARN log message
indicating same is issued (Interface X/X/X not authorized.
Application of downloaded ACL XXX did not complete due