Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

661

662

663

664

665

666

667

668

669

670

EMC Networking OS applies the downloaded DACLs to an interface or a specific supplicant session(s)/ user(s) in the interface. OS9

switch uses RADIUS-assigned DACLs to filter L3 traffic entering the switch from authenticated supplicant(s) which has RADIUS-assigned

DACL configured in the RADIUS server. This feature allows a centralized administration of security policies for access devices in

enterprises without the need of handling the access policies in the individual devices.

Standard compliance

Dell EMC Networking OS complies to the following standards:

• RFC4849 for RADIUS NAS-Filter-Rule attribute

• RFC2865 For Filter-Id attribute

Configuration notes

Consider the following when configuring RADIUS-assigned DACL in the switch:

• RADIUS-assigned DACLs are applicable only for the inbound traffic on a specific port of the switch or supplicant.

• NAS supports unique session based on RADIUS-assigned DACLs using the MAC address of the 802.1x client.

• RADIUS-assigned DACLs and ACLs configured through the OS9 CLI can coexist. RADIUS-assigned DACLs takes higher precedence

over the L3 ACL configured using OS9 CLI.

• IPv6 NAS-Filter-Rule attributes are not supported as part of Radius-assigned DACLs.

• Change of Authorization (CoA) Action requests on the RADIUS NAS-Filter-Rule Attributes are not supported.

• The attributes in RADIUS NAS-Filter-Rule supports only the L3 options.

• The RADIUS-assigned DACLs are implicit permit. You can configure an implicit deny rule deny ip any any explicitly to block all

other traffic.

• The maximum size of the RADIUS-assigned DACLs through NAS-Filter-Rule attribute is 4000 characters. It can be a single rule or

multiple rules.

• The names of ACLs configured using the OS9 CLI must be different from the name of the RADIUS-assigned DACLs downloaded from

the RADIUS server.

• After switch failover, you must do the following on the interface before changing any dot1x related configurations:

1. Shutdown the interface using shutdown command

2. UP the interface using no shutdown command

Allocate CAM for RADIUS-assigned DACL

Allocate the CAM region to use the RADIUS-assigned DACL. Reload the switch for the CAM allocation to take effect.

To allocate a CAM region for RADIUS-assigned DACL, use the cam-acl command. Enter the radius-v4acl allocation as a factor of 2

(2,4,6,8). The maximum number of FP blocks allocated for RADIUS-assigned DACLs is 8.

NOTE:

Dell EMC Networking OS displays an error when a CAM region is not allocated for RADIUS-assigned DACLs and

does not authenticate the supplicant.

To allocate the space for RADIUS-assigned DACL, use the following command:

Allocate a CAM region to apply RADIUS-assigned DACL.

EXEC mode

cam-acl {default | l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt

number ipmacacl number vman-qos | vman-dual-qos number ecfmacl number nlbcluster number ipv4pbr

number openflow number | fcoe number iscsioptacl number [vrfv4acl number] radius-v4acl number

The maximum ACL entries supported are 1024.

To verify the CAM allocated for RADIUS-assigned DACL, use show cam-acl command.

DellEMC#show cam-acl

-- Chassis Cam ACL --

Current Settings(in block sizes)

1 block = 256 entries

L2Acl : 2

Ipv4Acl : 4

Ipv6Acl : 2

Ipv4Qos : 2

L2Qos : 1

L2PT : 0

IpMacAcl : 0

668

Security