Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

661

662

663

664

665

666

667

668

669

670

VmanQos : 0

EcfmAcl : 0

iscsiOptAcl : 0

ipv4pbr : 0

vrfv4Acl : 0

Openflow : 0

fedgovacl : 0

nlbclusteracl : 0

radiusv4acl : 2

Configure RADIUS-assigned DACL

The switch assigns a RADIUS-assigned DACL to a port or user regardless of any statically configured ACLs on a port or VLAN to which

the port is assigned.

NAS applies RADIUS-assigned DACLs using two ways:

1. RADIUS NAS-Filter-Rule attribute - The RADIUS server pushes the defined DACLs when a supplicant gets authenticated. The ACLs

are not pre-provisioned in the NAS.

2. RADIUS filter-ID attribute - The RADIUS server indicates the ACL configured in the NAS to be applied to the supplicant and sends the

filter name to be used in the NAS. For the filter-ID attribute to work, the switch or NAS must have ACLs pre-configured before the

supplicants connect to the NAS.

NOTE: The system displays error when both the filter-ID and RADIUS Filter Rule attributes are sent in the same RADIUS

Access-Accept frame.

RADIUS NAS-Filter-Rule attribute

The switch or NAS saves the RADIUS-assigned DACL rules under a filter name derived from the supplicant MAC addresses. The NAS

dynamically generates a filter for the rules downloaded through the RADIUS NAS-Filter-Rule attribute. The names of the downloaded filter

rules have a prefix __Rad followed by the supplicant MAC addresses.

The RADIUS NAS-Filter-Rule attribute indicates the filter rules to be applied for a specific supplicant. The RADIUS server includes the

RADIUS NAS-Filter-Rule attribute in the Access-Accept frame sent to the switch.

Dell EMC Networking OS supports only the certain filters when configuring the ACLs in the RADIUS server.

Supported filters in RADIUS-assigned DACLs are:

• L3 protocol number

• Source IP address

• Destination IP address

• TCP and UDP port numbers

• DSCP

• ECN

• ICMP type

• Fragments

Radius-assigned DACLs have a unique name based on the supplicant MAC address.

The ACLs downloaded from the RADIUS server must match the syntax of Dell EMC Networking OS. The system discards any rule that

does not match the syntax. For more information about ACL configuration, see Dell EMC Configuration Guide and Dell EMC Command

Line Reference Guide .

NOTE:

Do not modify the downloaded RADIUS-assigned DACLs using the OS9 CLI as they are generated dynamically

from the RADIUS server.

NOTE: Any change in the filter such as adding a new filter rule and removing a filter rule take effect only after re-

authentication of the supplicant.

To view the RADIUS-assigned DACL, use show ip accounting access-list or show dot1x interface commands.

show ip accounting access-list output:

DellEMC#show ip accounting access-list

Extended Ingress IP access list test on GigabitEthernet 1/1

Total cam count 15

seq 5 permit ip host 1.1.1.1 host 2.2.2.2

seq 6 permit ip host 4.4.4.4 host 5.5.5.5

Security

669