MSM7xx Controllers Configuration Guide v6.4.0

ManualsBrandsHP ManualsNetwork HardwareHP 425 Wireless Dual Radio 802.11n (JP) Access Point

461

462

463

464

465

466

467

468

469

470

A default access list can defined by adding the following Colubris AV-Pair value string to the

RADIUS profile for a controller or to the local list (Public access > Attributes page). This defines the

access list to use for all users whose profiles do not contain an access list value.

default-user-access-list=uselistname

Syntax

access-list=

listname[,[OPTIONAL]], action, protocol, address, port[, account[, interval]]

use-access-list=uselistname

default-user-access-list=uselistname

use-access-list-unauth=uselistname

NOTE: You can use spaces as separators instead of commas.

Where:

DescriptionParameter

Specify a name (up to 32 characters long) to identify the access list this

rule applies to. If a list with this name does not exist, a new list is created.

If a list with this name exists, the rule is added to it.

listname

Specify the name of an existing access list. This list is activated for the

current profile. Lists are checked in the order they are activated.

uselistname

Allows the access list to be activated even if this rule fails to initialize. For

example, if you specify a rule that contains an address which cannot be

[OPTIONAL]

resolved for some reason, the other rules that make up the access list will

still be initialized. If you do not specify optional, a failed rule will cause

the entire list to fail.

Critical access list definitions (such as for a remote login page, certificates)

should not use the OPTIONAL setting because if these definitions fail to

initialize there will be no indication in the log.

Specify what action the rule takes when it matches incoming traffic. The

options are:

action

• ACCEPT - Allow traffic matching this rule.

• ACCEPT-MORE - Allow traffic matching this rule and allocate extra

connections (when required) to enable users to connect with the

specified address.

By default the controller allows up to 200 TCP or UDP connections per

authenticated or unauthenticated user. If a user has exceeded this

connection limit, this parameter allows the controller to permit extra

connections from the user when connecting to the specified destination.

Connections are assigned from a global pool of 100 connections.

This can be used to make sure that users can always reach an important

resource on the network. For example, the following access list definition

action

(continued)

allows additional connections as needed to any user who is trying to

reach my-web-server.com.

access-list=HP,ACCEPT-MORE,all,my-web-server.com,80

use-access-list=procurve

• DENY - Reject traffic matching this rule.

• DNAT-SERVER: Traffic matching this rule is forwarded to the destination

defined by the dnat-server value. See “Traffic forwarding (dnat-server)”

(page 482) for more information.

Note: SSL traffic cannot be forwarded as this breaks SSL security during

connection negotiation resulting in the connection not being established.

• REDIRECT: Reject traffic matching this rule and redirect the users Web

browser to the page specified by redirect-url, or login-url if redirect-url

is not defined. See “Redirect URL” (page 479) for more information. For

Colubris AV-Pair - Site attribute values 463