Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

391

392

393

394

395

396

397

398

399

400

Assigning Authorization Attributes

17-48 Configuring AAA for Network Users

Assigning a Security ACL to a User or a Group

Onceasecurityaccesscontrollist(ACL)isdefinedandcommitted,itcanbeapplieddynamically

andautomaticallytousersandusergroupsthroughthe802.1Xauthenticationandauthorization

process.WhenyouassignaFilter‐Idattributetoauserorgroup, thesecurityACLnamevalueis

enteredasan

authorizationattributeintotheuserorgrouprecordinthelocalRoamAboutSwitch

databaseorRADIUSserver.

(FordetailsaboutsecurityACLs,seeChapter 15,ConfiguringandManagingSecurityACLs.)

Assigning a Security ACL Locally

TousethelocalRoamAboutSwitchdatabasetorestrictauser,aMACuser,oragroupofusersor

MACuserstothepermissionsstored withinacommittedsecuri tyACL,usethefollowing

commands:

Youcansetfiltersforincomingandoutgoingpackets:

•Useacl‐name.intofiltertrafficthat

enterstheRoamAboutSwitchfromusersviaawired

authenticationport,orfromthenetworkviaanetworkport.

•Useacl‐name.outtofiltertrafficsentfromtheRoamAboutSwitchtousersviaawired

authenticationport,orfromthenetworkviaanetworkport.

Examples

Thefollowingcommandappliessecurity ACLacl‐10 1topacketscomingintotheRoamAbout

SwitchfromuserJose:

RBT-8100# set user Jose attr filter-id acl-101.in

success: change accepted.

Thefollowingcommandappliestheincomingfiltersofacl‐101totheuserswhobelongtothe

groupeastcoasters:

RBT-8100# set usergroup eastcoasters attr filter-id acl-101.in

success: change accepted.

Note: If the Filter-Id value returned through the authentication and authorization process does not

match the name of a committed security ACL in the RoamAbout switch, the user fails authorization

and cannot be connected.

Security ACL Target Commands

User authenticated by a

password

set user username attr filter-id acl-name.in

set user username attr filter-id acl-name.out

Group of users authenticated

by a password

set usergroup groupname attr filter-id acl-name.in

set usergroup groupname attr filter-id acl-name.out

User authenticated by a MAC

address

set mac-user username attr filter-id acl-name.in

set mac-user username attr filter-id acl-name.out

Group of users authenticated

by a MAC address

set mac-usergroup groupname attr filter-id acl-name.in

set mac-usergroup groupname attr filter-id acl-name.out