HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 255
General ACL Features, Planning, and Configuration
View all HP 6120XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 255 highlights
Notes Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists the same username/password pair. Where the client MAC address is the selection criteria, only the client having that MAC address can use the corre sponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured with that client's credentials to the port. The ACL then filters the client's inbound IP traffic and denies (drops) any such traffic that is not explicitly permitted by the ACL. (Every ACL ends with an implicit deny in ip from any to any ("deny any any") ACE that denies IP traffic not specifically permitted by the ACL.) When the client session ends, the switch removes the RADIUS-assigned ACL from the client port. Included in any RADIUS-assigned ACL, there is an implicit deny in ip from any to any ("deny any any") command that results in a default action to deny any inbound IP traffic that is not specifically permitted by the ACL. To override this default, use an explicit permit in ip from any to any ("permit any any") as the last ACE in the ACL. This will only apply to the authenticated client; the default ip deny any any applies to all other IPv4 traffic. On a given port, RADIUS-assigned ACL filtering applies to all IPv4 traffic once a client is authenticated. Multiple Clients Sharing the Same RADIUS-Assigned ACL. When multiple clients supported by the same RADIUS server use the same creden tials, they will all be serviced by different instances of the same ACL. (The actual IP traffic inbound from any client on the switch carries a source MAC address unique to that client. The RADIUS-assigned ACL uses this MAC address to identify the traffic to be filtered.) Multiple ACL Application Types on an Interface. The switch allows simultaneous use of all supported ACL application types on an interface. General ACL Features, Planning, and Configuration These steps suggest a process for using RADIUS-assigned ACLs to establish access policies for client IP traffic. 1. Determine the polices you want to enforce for authenticated client traffic inbound on the switch. 2. Plan ACLs to execute traffic policies: • Apply ACLs on a per-client basis where individual clients need differ ent traffic policies or where each client must have a different username/password pair or will authenticate using MAC authentication. • Apply ACLs on a client group basis where all clients in a given group can use the same traffic policy and the same username/password pair. 6-15