Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N2000 Series
271272273274275276277278279280
272 Authentication, Authorization, and Accounting
port is not authorized. A log message indicating same is issued (Interface
X/X/X not authorized. RADIUS Access-Accept/COA-
Request contains both Filter-ID(11)and AV-
Pair(26)attributes). No Acct-Start packet is sent and an EAP-Failure
is sent to the 802.1X client.
Dynamic ACLs using the Filter-ID syntax are always enabled.
Filter-ID syntax:
Named ACL - printable character string of the form <ACLNAME>.
<Direction>, for example, Filter-id="test_static.in"
Filter-ID example:
Named_ACL - printable character string of the form Filter-id=
"test_static.in".
Preconfigured or Dynamic ACLs
The switch also supports the application of preconfigured ACLs or the
configuration and application of dynamically-created Access Lists to an
802.1X authenticated port as presented in a series of vendor proprietary VSA
(009/001) AV-pair (26) attributes in a RADIUS Access-Accept. If dynamic
ACL capability is not enabled, VSA 26 attributes are ignored as if they are not
present in the message and authentication proceeds in the normal manner.
Other RADIUS attributes (for example, Tunnel-Medium-Type, Tunnel-Type,
Tunnel-Private-Group-ID, and so on) are processed in the normal manner.
Dynamic ACLs using the VSA AV-Pair syntax may be enabled by configuring
the radius server vsa send authentication command.
The switch will configure the rules in IPv4 or IPv6 Extended Access Lists
named IP-DACL-IN-<port-id># where <port-id> is the user
presentable short form port name, such as Tel/0/1. The corresponding IPv6
naming convention is IPV6-DACL-IN-<port-id>. DACLs for Voice
VLAN are named IP-V DACL-IN-<port id>#d. Note that the # sign is not
an acceptable character for an ACL name which prevents the DACL from
being edited or removed via the UI. The original ACL, if any, is restored to the
port after the 802.1X session terminates. Only ingress ACLs are supported.
If there is an error applying the ACL to the port, a WARN log message
indicating same is issued (Interface X/X/X not authorized.
Application of downloaded ACL XXX did not complete due
to resource exhaustion) and the Access-Accept is treated as an