Product guide
7-19
Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
(Note that the “string” value and the “Setting” specifier are identical.)
■ ACL configuration, including:
• one or more explicit “permit” and/or “deny” ACEs created by the
system operator
• implicit deny any any ACE automatically active after the last operator-
created ACE
Example of Configuring a Dynamic Port ACL Using the FreeRADIUS
Application. This example illustrates one method for configuring dynamic
port ACL support for two different client identification methods (username/
password and MAC address). For information on how to configure this
functionality on other RADIUS server types, refer to the documentation
provided with the server.
1. Enter the ProCurve vendor-specific ID and the ACL VSA in the FreeRA-
DIUS dictionary file:
Figure 7-4. Example of Configuring the VSA for Dynamic Port ACLs in a FreeRADIUS Server
2. Enter the switch IP address, NAS (Network Attached Server) type, and
the key in the FreeRADIUS clients.conf file. For example, if the switch IP
address is 10.10.10.125 and the key is “1234”, you would enter the follow-
ing in the server’s clients.conf file:
Figure 7-5. Example of Configuring the Switch’s Identity Information in a FreeRADIUS Server
3. For a given client username/password pair or MAC address, create an ACL
by entering one or more ACEs in the FreeRADIUS “users” file. Enter the
ACEs in an order that promotes optimum traffic management and conser-
vation of system resources, and remember that every ACL you create
VENDOR HP 11
BEGIN-VENDOR HP
ATTRIBUTE HP-IP-FILTER-RAW 61 STRING
END-VENDOR HP
ProCurve (HP) Vendor-Specific ID
ProCurve (HP) Vendor-Specific
Attribute for Dynamic Port ACLs
Note that if you were also using the RADIUS server to
administer 802.1p (CoS) priority and/or Rate-Limiting, you
would also insert the ATTRIBUTE entries for these
functions above the END-VENDOR entry.
client 10.10.10.125
nastype = other
secret = 1234
Note: The key configured in the switch and the secret configured in
the RADIUS server supporting the switch must be identical. Refer to
the chapter titled “RADIUS Authentication and Accounting” in the
Access Security Guide for your switch.