Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

701

702

703

704

705

706

707

708

709

710

aaa authentication login default radius local

2. Specify the protocol for authentication.

CONFIGURATION mode

aaa radius auth-method mschapv2

3. Establish a host address and password.

CONFIGURATION mode

radius-server host H key K

4. Log in to switch using console or telnet or ssh with a valid user role.

When 1-factor authentication is used, the authentication succeeds enabling you to access the switch. When two-factor

authentication is used, the system prompts you to enter a one-time password as a second step of authentication. If a valid one-

time password is supplied, the authentication succeeds enabling you to access the switch.

RADIUS-assigned dynamic access control lists

Dell EMC Networking OS supports RADIUS-assigned dynamic access control lists (DACLs) to control the traffic from

authenticated supplicant.

RADIUS-assigned DACLs control Layer 3 (L3) traffic from a supplicant authenticated by the RADIUS server using 802.1x/MAC

Authentication Bypass (MAB). The RADIUS server pushes the DACLs to an OS9 switch that acts as network access server

(NAS). Dell EMC Networking OS applies the downloaded DACLs to an interface or a specific supplicant session(s)/ user(s) in

the interface. OS9 switch uses RADIUS-assigned DACLs to filter L3 traffic entering the switch from authenticated supplicant(s)

which has RADIUS-assigned DACL configured in the RADIUS server. This feature allows a centralized administration of security

policies for access devices in enterprises without the need of handling the access policies in the individual devices.

Standard compliance

Dell EMC Networking OS complies to the following standards:

● RFC4849 for RADIUS NAS-Filter-Rule attribute

● RFC2865 For Filter-Id attribute

Configuration notes

Consider the following when configuring RADIUS-assigned DACL in the switch:

● RADIUS-assigned DACLs are applicable only for the inbound traffic on a specific port of the switch or supplicant.

● NAS supports unique session based on RADIUS-assigned DACLs using the MAC address of the 802.1x client.

● RADIUS-assigned DACLs and ACLs configured through the OS9 CLI can coexist. RADIUS-assigned DACLs takes higher

precedence over the L3 ACL configured using OS9 CLI.

● IPv6 NAS-Filter-Rule attributes are not supported as part of Radius-assigned DACLs.

● Change of Authorization (CoA) Action requests on the RADIUS NAS-Filter-Rule Attributes are not supported.

● The attributes in RADIUS NAS-Filter-Rule supports only the L3 options.

● The RADIUS-assigned DACLs are implicit permit. You can configure an implicit deny rule deny ip any any explicitly to

block all other traffic.

● The maximum size of the RADIUS-assigned DACLs through NAS-Filter-Rule attribute is 4000 characters. It can be a single

rule or multiple rules.

● The names of ACLs configured using the OS9 CLI must be different from the name of the RADIUS-assigned DACLs

downloaded from the RADIUS server.

● After switch failover, you must do the following on the interface before changing any dot1x related configurations:

1. Shutdown the interface using shutdown command

2. UP the interface using no shutdown command

Security

705