HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 258
Nas-Filter-Rule-Options, Configuring ACE Syntax in RADIUS Servers, Table 6-4.
View all HP 6120XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 258 highlights
Configuring RADIUS Server Support for Switch Services Configuring and Using RADIUS-Assigned Access Control Lists ■ ACL configuration, including: • one or more explicit "permit"and/or "deny" ACEs created by the system operator • implicit deny any any ACE automatically active after the last operatorcreated ACE Nas-Filter-Rule-Options Table 6-4. Nas-Filter-Rule Attribute Options Service Control Method and Operating Notes: ACLs Applied to Client Traffic Inbound to the Switch Assigns a RADIUSconfigured ACL to filter inbound packets received from a specific client authenticated on a switch port. Standard Attribute: 92 This is the preferred attribute for use in RADIUS-assigned ACLs to configure ACEs to filter IPv4 traffic. Entry for IPv4-Only ACE To Filter Client Traffic: Nas-filter-Rule = "< permit or deny ACE >" (Standard Attribute 92) For example: Nas-filter-Rule="permit in tcp from any to any" ACLs Applied to Client HP-Nas-Filter-Rule (Vendor-Specific Attribute): 61 Traffic Inbound to the This attribute is maintained for legacy purposes to support ACEs in RADIUS-assigned ACLs. Switch However, for new or updated configurations HP recommends using the Standard Attribute (92) Assigns a RADIUS- described earlier in this table instead of the HP-Nas-filter-Rule attribute described here. configured IPv4 ACL to filter inbound IPv4 HP (ProCurve) vendor-specific ID: 11 packets received from a specific client VSA: 61 (string = HP-Nas-Filter-Rule authenticated on a switch port. Setting: HP-Nas-filter-Rule = "< permit or deny ACE >" Configuring ACE Syntax in RADIUS Servers The following syntax and operating information applies to ACLs configured in a RADIUS server. ACE Syntax Nas-filter-Rule ="< permit | deny > in from any to (Standard < any | ip-addr | ipv4-addr/mask > [ < tcp/udp-port | tcp/udp-port range > | icmp-type ] [cnt ]" Attribute-92) ACE Syntax HP-Nas-filter-Rule="< permit | deny > in from any to (Legacy VSA < any | ip-addr | ipv4-addr/mask > [ < tcp/udp-port | tcp/udp-port range > | icmp-type ] [cnt ]" 61) 6-18