Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N2000 Series
271272273274275276277278279280
Authentication, Authorization, and Accounting 275
Restrictions and Caveats
Only ingress ACLs are supported. Dynamic ACLs are supported only for ports
in General or Access mode when configured in 802.1X port-control auto or
mac-based modes.
The processing of dynamic ACLs VSAs is controlled by the [no] radius server
vsa send authentication syntax. The default is disabled. No other VSAs (such
as voice VLAN) are affected by this configuration.
Either traffic-class av-pairs or multiple ip:inacl/ipv6:inacl av-pairs may be
present in the RADIUS message, but not both. If both are present, or there
are syntax errors in the received ACLs (other than duplicate rules), the ACL
rules are not applied, the RADIUS Access-Accept is treated as an Access-
Reject, and a WARN log message or Interface X/X/X not
authorized. Application of downloaded ACL did not
complete due to invalid syntax XXXXX is issued indicating that
a received RADIUS rule is misconfigured with invalid syntax or configured
with both ip:traffic-class and in acl rules, and identifying the RADIUS server
and the affected interface. If Accounting is enabled, the Acct-Start packet is
not sent. An EAP-Failure is sent to the 802.1X client.
The VSAs may appear in any order in the RADIUS message. A mixture of
in/out and IPv4/IPv6 rules may be present in the RADIUS message to be
parsed into the four two Access-Groups. Rules are separated by newlines
(either CR or CR/LF). Upper and lower case shall be accepted. The strings
ip:traffic-class, ip:inacl, ... are always in lower case. The optional digits
following the # symbol indicate the ACL number in the access list.
The rules are applied in the order they appear in the RADIUS packet (the
ACL numbers indicate the relative internal priority). Duplicate entries
(identical number) in the Access-Accept message follow the same behavior as
exists in the UI today (overwrite the previous entry). Conflicting rules are
handled in the same manner as if configured via the CLI.
RADIUS-supplied dynamic ACLS are applied at the access-group level after
removing all statically configured access groups/traffic filters on the port and
before any policies specified in Filter-ID. The following order is observed for
application of the access-groups: IPv6-DACL-IN, IP-DACL-IN, IPv6-V
DACL-IN, IP-V DACL-IN. Empty rules sets are not applied to the port. The
words statically configured access-groups do not include denial of service or
storm control configurations as they use different internal hardware.