Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N2000 Series
271272273274275276277278279280
Authentication, Authorization, and Accounting 271
of filtering any matching ingress traffic, regardless of which authentication
session actually instantiated the DACL. Do not apply both DACLs and
DiffServ policies on a port at the same time.
NOTE: 802.1X port-control auto mode ports are restricted to a single data
device and a single voice device by default (host mode multi-domain multi-
host). This restriction is enforced by implicitly filtering incoming traffic based
upon the MAC address of the authenticating client.
DACLs contained in an 802.1X re-authentication Access-Accept replace the
DACLs instantiated in the existing session. DACLs are never applied to hosts
authenticated into the Guest or Unauthenticated VLAN. DACLs are
compatible with RADIUS VLAN assignment.
Filter-ID Support
The switch supports the association of preconfigured access-lists to an 802.1X
authenticated port as presented in the IETF Filter-ID (11) RADIUS attribute
(RFC 2865) in an Access-Accept message if configured to accept same. The
port may be configured in 802.1X port-control auto or mac-based mode. If
DACL capability is not enabled, or the port is not configured for 802.1X port-
control auto or mac-based mode, Filter-ID attributes are ignored (as if they
are not present in the message) and authentication proceeds in the normal
manner. Other RADIUS attributes (for example, Tunnel-Medium-Type,
Tunnel-Type, Tunnel-Private-Group-ID, and so on) are processed in the
normal manner. The named ACL must exist on the switch and can be of any
ACL type (MAC, IPv4, or IPv6).
When the identified ACL is applied, all statically-configured ACLs on the
port are removed and the new ACL is configured prior to 802.1X authorizing
the port. When the 802.1X session terminates, the dynamic ACL is removed
and the pre-existing ACLs are restored to the port.
If no Access list exists matching the Filter-ID, the Access-Accept is treated as
an Access-Reject and the port is not authorized. A log message indicating
same is issued (Interface X/X/X not authorized. Filter-ID
XXXX selected by server x.y.z.x is not present on
switch). No Acct-Start packet is sent and an EAP-Failure is sent to the
802.1X client. Note that the name in a Filter-ID may be a number of an ACL
in the form of <ACL#.in>, such as 100.in. If both a Filter-ID and a
vendor proprietary AV-Pair (26) ip:inacl or ipv6:inacl attribute are present in
the Access-Accept, the Access-Accept is treated as an Access-Reject and the