Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N4000 Series

361

362

363

364

365

366

367

368

369

370

368 Authentication, Authorization, and Accounting

• The ACL or DiffServ policy specified in the attribute must already be

configured on the switch, and the ACL/policy names must be identical to

the one sent by the RADIUS server.

For information about configuring a DiffServ policy, see "DiffServ

Configuration Examples" on page 1547. For information about configuring

a Dynamic ACL, see "Dynamic ACL Overview" on page 295. The example

"Providing Subnets Equal Access to External Network" on page 1547,

describes how to configure a policy named internet_access.

If you use an authentication server to assign ACLs or DiffServ policies to an

authenticated user, note the following guidelines:

• If the policy or ACL specified within the server Filter-ID attribute does not

exist on the switch, authentication will fail.

• If a DiffServ policy and ACL have the same name, the named ACL is

applied.

• Do not delete policies or ACLs used as the Filter-ID by the RADIUS server

while 802.1X is enabled.

• Do not use the DiffServ service-policy command to apply the filter to an

interface if you configure the RADIUS server or 802.1X authenticator to

assign the DiffServ filter.

In the following example, Company XYZ uses IEEE 802.1X to authenticate

all users. Contractors and temporary employees at Company XYZ are not

permitted to have access to SSH ports, and data rates for Web traffic is

limited. When a contractor is authenticated by the RADIUS server, the server

assigns a DiffServ policy to control the traffic restrictions.

The network administrator configures two DiffServ classes: cl-ssh and cl-http.

The class cl-ssh matches all incoming SSH packets. The class cl-http matches

all incoming HTTP packets. Then, the administrator configures a traffic

policy called con-pol and adds the cl-ssh and cl-http. The policy is configured

so that SSH packets are to be dropped, and HTTP data rates are limited to 1

MB with a burst size of 64 Kbps. HTTP traffic that exceeds the limit is

dropped.

The host ports, ports 1–23, are configured to use MAC-based dot1x

authentication to allow the DiffServ policy to be applied. Finally,

the

administrator configures the RADIUS server with the attribute

Filter-id (11)=

“con-pol” (steps not shown).