Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N2100 Series

351

352

353

354

355

356

357

358

359

360

354 Authentication, Authorization, and Accounting

• The DiffServ policy specified in the attribute must already be configured

on the switch, and the policy names must be identical.

For information about configuring a DiffServ policy, see "DiffServ

Configuration Examples" on page 1533. The example "Providing Subnets

Equal Access to External Network" on page 1533, describes how to

configure a policy named internet_access.

If you use an authentication server to assign DiffServ policies to an

authenticated user, note the following guidelines:

• If the policy specified within the server Filter-id attribute does not exist on

the switch, authentication will fail.

• Do not delete policies used as the Filter-id by the RADIUS server while

802.1X is enabled.

• Do not use the DiffServ service-policy command to apply the filter to an

interface if you configure the RADIUS server or 802.1X authenticator to

assign the DiffServ filter.

In the following example, Company XYZ uses IEEE 802.1X to authenticate

all users. Contractors and temporary employees at Company XYZ are not

permitted to have access to SSH ports, and data rates for Web traffic is

limited. When a contractor is authenticated by the RADIUS server, the server

assigns a DiffServ policy to control the traffic restrictions.

The network administrator configures two DiffServ classes: cl-ssh and cl-http.

The class cl-ssh matches all incoming SSH packets. The class cl-http matches

all incoming HTTP packets. Then, the administrator configures a traffic

policy called con-pol and adds the cl-ssh and cl-http. The policy is configured

so that SSH packets are to be dropped, and HTTP data rates are limited to 1

MB with a burst size of 64 Kbps. HTTP traffic that exceeds the limit is

dropped.

The host ports, ports 1–23, are configured to use MAC-based dot1x

authentication to allow the DiffServ policy to be applied. Finally,

the

administrator configures the RADIUS server with the attribute

Filter-id (11)=

“con-pol” (steps not shown).

To configure the switch:

Configure the DiffServ traffic class that matches SSH traffic.

console#configure

console(config)#class-map match-all cl-ssh

console(config-classmap)#match dstl4port 22

console(config-classmap)#exit