Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

311

312

313

314

315

316

317

318

319

320

Mapping Security ACLs

RoamAbout Mobility System Software Configuration Guide 15-13

Mapping Security ACLs

AnACLdoesnottakeeffectuntilyoucommititandmapittoauseroraninterface.

User‐basedsecurityACLsaremappedtoanIEEE802.1Xauthenticatedsessiondu ringtheAAA

process.Youcanspecifythatoneoftheauthorizationattributesreturnedduringauthenticationis

anamedsecurity

ACL.TheRASmapsthenamedACLautomaticallytotheuser’sauthenticated

session.

SecurityACLscanalsobemappedstaticallytoVLANs,virtualports,orDistributedAPs.User‐

basedACLsareprocessedbeforetheseACLs,becausetheyaremorespecificandclosertothe

networkedge.

Mapping User-Based Security ACLs

Whenyouconfigureadministratororuserauthentication,youcansetaFilter‐Idauthorization

attributeattheRADI USserverorattheRoamAboutSwit ch’slocaldatabase.TheFilter‐Idattribute

isasecurityACLnamewiththedirectionofthepacketsappended—forexample,acl‐name.inor

acl‐name.out.The

securityACLmappedbyFilter‐IdinstructstheRAStouseitslocaldefinitionof

theACL,includingtheflowdirection,tofilterpacketsfortheauthenticateduser.

Example

TomapasecurityACLtoausersession,followthesesteps:

1. CreatethesecurityACL.Forexample,tofilterpacketscomingfrom192.168.253.1andgoingto

192.168.253.12, typethefollowingcommand:

RBT-8100# set security acl ip acl-222 permit ip 192.168.253.1 0.0.0.0

198.168.253.12 0.0.0.0 hits

2. CommitthesecurityACLtotherunningconfiguration.Forexample,tocommitacl‐222,type

thefollowingcommand:

RBT-8100# commit security acl acl-222

success: change accepted.

3. ApplytheFilter‐Idauthenticationatt ributetoauser’ssessionviaanexternalRADIUSserver.

Forinstructions,seethedocumentationforyourRADIUSserver.

4. Alternatively,authenticatetheuserwiththeFilter‐IdattributeintheRoamAboutSwitch’s

localdatabase.Useoneofthefollowingcommands.Specify.inforincomingpacketsor

.out

foroutgoingpackets.

Note: The Filter-Id attribute is more often received by the RAS through an external AAA RADIUS

server than applied through the local database.

Note: If the Filter-Id value returned through the authentication and authorization process does not

match the name of a committed security ACL in the RAS, the user fails authorization and cannot be

authenticated.

Mapping Target Commands

User authenticated by a password set user username attr filter-id acl-name.in

set user username attr filter-id acl-name.out