Product guide

ManualsBrandsProCurve ManualsComputer equipment6200yl

221

222

223

224

225

226

227

228

229

230

7-18

Configuring RADIUS Server Support for Switch Services

Configuring and Using RADIUS-Assigned Access Control Lists

was also configured on VLAN “Y”, then a deny match in the RACL

would apply as well to any inbound, routed traffic from the client (and

to any inbound, switched traffic having a destination on the switch

itself). (If an outbound RACL was also configured on VLAN “Y”, then

any outbound, routed IP traffic leaving the switch through the subject

port would be filtered by the outbound RACL as well.)

■ Effect of Dynamic Port ACLs on Inbound Traffic for Multiple

Clients on the Same Port: On a port configured for 802.1X user-

based access where multiple clients are connected, if a given client’s

authentication results in a dynamic port ACL assignment, then the

authentication of any other client concurrently using the port must

also include a dynamic port ACL assignment. Thus, if a RADIUS server

is configured to assign a dynamic port ACL when client “X” authenti-

cates, but is not configured to do the same for client “Y”, then traffic

from client “Y” will be blocked whenever client “X” is authenticated

on the port (and client “Y” will be deauthenticated). For this reason,

if multiple clients are authenticated on a port, a separate dynamic port

ACL must be assigned by a RADIUS server for each authenticated

client. Inbound IP traffic from any client whose authentication does

not result in a dynamic port ACL assignment will be blocked and the

client will be deauthenticated. Also, if 802.1X port-based access is

configured on the port, only one client can be authenticated on the

port at any given time. In this case, no other inbound client traffic is

allowed. For more on this topic, refer to “Static Port ACL and Dynamic

Port ACL Applications” on page 10-19, and “Multiple ACLs on an

Interface” on page 10-20.

Configuring an ACL in a RADIUS Server

This section provides general guidelines for configuring a RADIUS server to

specify dynamic port ACLs. Also included is an example configuration for a

FreeRADIUS server application. However, to configure support for these

services on a specific RADIUS server application, please refer to the docu-

mentation provided with the application.

Elements in a Dynamic Port ACL Configuration. A dynamic port ACL

configuration in a RADIUS server has the following elements:

■ vendor and ACL identifiers:

• ProCurve (HP) Vendor-Specific ID: 11

• Vendor-Specific Attribute for ACLs: 61 (string = HP-IP-FILTER-RAW)

• Setting: HP-IP-FILTER-RAW = < “permit” or “deny” ACE >