Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N2000 Series
271272273274275276277278279280
276 Authentication, Authorization, and Accounting
The dynamic ACLs exist only for the duration of the 802.1X session. They are
removed when the 802.1X session is terminated (including for COA bounce-
host-port or COA termination requests) or when the port goes down
(unplugged or shut down). Any static ACLs previously removed from the port
are restored when the last 802.1X session ends. Note that the port is
unauthorized when the session ends, so the static rules are not actually
written into hardware. They are available for application if the RADIUS server
does not send an ACL or the port otherwise becomes authorized. The
administrator can override the port configuration and add a manually
configured ACL. If the administrator adds an ACL, only the DACL is
removed when the session ends.
The switch alters the dynamic ACL IP address filter; IP source addresses in
the DACL are rewritten to use the supplicant IP address if available.
Dynamic ACLs are supported for 802.1X enabled (authentication port-
control auto mode) ports configured in switchport access or general mode.
Only one dynamic IPv4 ACL and one dynamic IPv6 ACL may be associated
with an 802.1X session (for a total of two access-groups per 802.1X session).
Only two named ACLs (one IPv4 and one IPv6) are supported (for a total of
two access groups per 802.1X session) per received Access-Accept.
Dynamic ACLs are supported for ports configured in 802.1X Monitor Mode.
Syntax errors are logged in the Monitor Mode log. Monitor mode behavior is
not altered, for example, if sufficient information to allow access the host to
the port is present, the host is allowed access to the port.
Dynamic ACLs are subject to the same hardware scale limitations as static
ACLs. If the ACL cannot be applied (resource limitation), then the Access-
Accept is treated as an Access-Reject and the port is not authorized. A log
message indicating same is issued (Interface X/X/X not
authorized. ACL received from RADIUS server exceeds
available resources). No Acct-Start packet is sent and an EAP-Failure
is sent to the 802.1X client.
Dynamic ACLs may not exceed the size of a single RADIUS Access-Accept
packet. There is no support for multiple packet ACLs. (Max dynamic ACL is
4000 ASCII characters). There is no support for Downloadable ACLs where
the NAS sends a second Access-Request to the RADIUS server to retrieve an
ACL.