Product guide
7-15
Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
How a RADIUS Server Applies a Dynamic Port ACL to
a Switch Port
A dynamic port ACL configured on a RADIUS server is identified and invoked
by the unique credentials (username/password pair or a client MAC address)
of the specific client the ACL is designed to service. Where the username/
password pair is the selection criteria, the corresponding ACL can also be used
for a group of clients that all require the same ACL policy and use the same
username/password pair. Where the client MAC address is the selection
criteria, only the client having that MAC address can use the corresponding
ACL. When a RADIUS server authenticates a client, it also assigns the ACL
configured with that client’s credentials to the port. The ACL then filters the
client’s inbound IP traffic and denies (drops) any such traffic that is not
explicitly permitted by the ACL. (Every ACL ends with an implicit deny in ip
from any to any (“deny any any”) ACE that denies IP traffic not specifically
permitted by the ACL.) When the client session ends, the switch removes the
dynamic port ACL from the client port.
Notes Included in any dynamic port ACL, there is an implicit deny in ip from any to any
(“deny any any”) command that results in a default action to deny any inbound
IP traffic that is not specifically permitted by the ACL. To override this default,
use an explicit permit in ip from any to any (“permit any any”) as the last ACE in
the ACL.
On a given port, dynamic port ACL filtering occurs only for the traffic entering
the switch from the client whose authentication configuration on the server
includes a dynamic port ACL. Traffic entering the switch from another authen-
ticated client (on the same port) whose authentication configuration on the
server does not include a dynamic port ACL will not be filtered by an ACL
assigned to the port for any other authenticated client.
Multiple Clients Sharing the Same Dynamic Port ACL. When multiple
clients supported by the same RADIUS server use the same credentials, they
will all be serviced by different instances of the same ACL. (The actual IP
traffic inbound from any client on the switch carries a source MAC address
unique to that client. The dynamic port ACL uses this MAC address to identify
the traffic to be filtered.)
Multiple ACL Application Types on an Interface. The switch allows
simultaneous use of all supported ACL application types on an interface. For
more information, refer to “Multiple ACLs on an Interface” on page 10-20.