Manualshelf

Setup Guide

ManualsBrandsDell ManualsAccess PlatformsNetworking S3100 Series
791792793794795796797798799800
NOTE: The system displays error when both the lter-ID and RADIUS Filter Rule attributes are sent in the same RADIUS Access-
Accept frame.
RADIUS NAS-Filter-Rule attribute
The switch or NAS saves the RADIUS-assigned DACL rules under a lter name derived from the supplicant MAC addresses. The NAS
dynamically generates a lter for the rules downloaded through the RADIUS NAS-Filter-Rule attribute. The names of the downloaded lter
rules have a prex __Rad followed by the supplicant MAC addresses.
The RADIUS NAS-Filter-Rule attribute indicates the lter rules to be applied for a specic supplicant. The RADIUS server includes the
RADIUS NAS-Filter-Rule attribute in the Access-Accept frame sent to the switch.
Dell EMC Networking OS supports only the certain lters when conguring the ACLs in the RADIUS server.
Supported lters in RADIUS-assigned DACLs are:
L3 protocol number
Source IP address
Destination IP address
TCP and UDP port numbers
DSCP
ECN
ICMP type
Fragments
Radius-assigned DACLs have a unique name based on the supplicant MAC address.
The ACLs downloaded from the RADIUS server must match the syntax of Dell EMC Networking OS. The system discards any rule that
does not match the syntax. For more information about ACL conguration, see Dell EMC Conguration Guide and Dell EMC Command Line
Reference Guide .
NOTE
: Do not modify the downloaded RADIUS-assigned DACLs using the OS9 CLI as they are generated dynamically from the
RADIUS server.
NOTE: Any change in the lter such as adding a new lter rule and removing a lter rule take eect only after re-authentication
of the supplicant.
View RADIUS-assigned DACL
To view the RADIUS-assigned DACL, use show ip accounting access-list or show dot1x interface commands.
show ip accounting access-list output:
DellEMC#show ip accounting access-list
!
Extended Ingress IP access list test on GigabitEthernet 1/1
Total cam count 15
seq 5 permit ip host 1.1.1.1 host 2.2.2.2
seq 6 permit ip host 4.4.4.4 host 5.5.5.5
seq 12 deny ip host 1.1.1.1 host 2.2.2.2
seq 17 permit ip host 100.0.0.1 host 150.0.0.100 count (0 packets)
seq 22 deny ip host 100.0.0.1 host 200.0.0.100 count (0 packets)
seq 27 deny ip any any count (0 packets)
seq 32 permit tcp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.2 eq 65535 monitor no-drop order 254
seq 37 permit ip host 1.1.1.1 host 2.2.2.2 dscp 63 ecn 3 fragments log monitor no-drop order
254
seq 42 permit ip any host 150.0.0.100 dscp 63 ecn 3
seq 47 permit ip 100.0.0.0/28 200.0.0.0/23
seq 52 permit ip 100.0.0.0/16 any
seq 57 permit icmp host 1.1.1.1 200.0.0.0/23
seq 62 permit icmp any 200.0.0.0/27
seq 67 permit icmp host 1.1.1.1 any
Security
795