HP 6120G/XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 260
Example Using the Standard Attribute (92) In an IPv4 ACL, cnt ], dictionary.rfc4849, clients.conf
View all HP 6120G/XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 260 highlights
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists < ipv4-addr >: Specifies a single destination IPv4 address. < ipv4-addr /< mask >: Specifies a series of contiguous destination addresses or all destination addresses in a subnet. The < mask > is CIDR notation for the number of leftmost bits in a packet's destination IPv4 address that must match the corre sponding bits in the destination IPv4 address listed in the ACE. For example, a destination of 10.100.17.1/24 in the ACE means that a match occurs when an inbound packet (of the designated IPv4 type) from the authenticated client has a destination IPv4 address where the first three octets are 10.100.17. (The fourth octet is a wildcard, and can be any value up to 255.) [ tcp/udp-port | tcp/udp-port-range]: Optional TCP or UDP port specifier. Used when the ACE is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers. You can specify port numbers as individual values and/or ranges. For example, the following ACE shows two ways to deny any UDP traffic from an authenticated client that has a DA of any address and a UDP destination port of 135, 137 139, or 445: deny in udp from any to any 135, 137-139, 445 deny in 17 from any to any 135, 137-139, 445 [ icmp-type ]: Optional ICMP type specifier. This can be either a keyword or an ICMP type number. For a listing of numbers and types, refer to table 6-5, "ICMP Type Numbers and Keywords" on page 6-28. [ cnt ]: Optional counter specifier for a RADIUS-assigned ACE. When used, the counter increments each time there is a "match" with the ACE. This option does not require that you configure the switch for RADIUS accounting. Example Using the Standard Attribute (92) In an IPv4 ACL The Standard attribute (92) filters IPv4 traffic inbound from the authenticated client. (Any IPv6 traffic inbound from the client is dropped.) This example illustrates configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS using the standard attribute for two different client identification methods (username/password and MAC address). 1. Enter the ACL standard attribute in the FreeRADIUS dictionary.rfc4849 file. ATTRIBUTE Nas-FILTER-Rule 92 2. Enter the switch IP address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file: 6-20