HP 3400CL-24G 56

Enhancements

Release M.10.02 Enhancements

■An ACL must be configured on the RADIUS server (instead of the switch) by creating and assigning one or more Access Control Entries to the username/password pair or MAC address of the client for which you want ACL support.

■Where 802.1X is used for client authentication, then either the client device must be running 802.1X supplicant software or the capability must exist for the client to download this software from the network through use of the 802.1X Open VLAN mode available on the switch. (If authentication is achieved through Web or MAC Authentication, then 802.1X supplicant software is not required.)

A RADIUS-assigned ACL is a type of extended ACL that filters IP traffic inbound on a port from any source (and, optionally, of any specific IP application or protocol type) to a single destination IP address, a group of contiguous IP addresses, an IP subnet, or any IP destination.

This feature is designed to accept dynamic configuration of a RADIUS-based ACL on an individual port on the network edge to filter traffic from an authenticated end-node client. Using RADIUS to apply per-port ACLs to edge ports enables the switch to filter IP traffic coming from outside the network, thus removing unwanted traffic as soon as possible and helping to improve system performance. Also, applying RADIUS-assigned ACLs to ports on the network edge is likely to be less complex than using ACLs in the network core to filter unwanted traffic that could have been filtered at the edge.

This feature enhances network and switch management access security by permitting or denying authenticated client access to specific network resources and to the switch management interface. This includes preventing clients from using TCP or UDP applications (such as Telnet, SSH, Web browser, and SNMP) if you do not want their access privileges to include these capabilities.

Note

A RADIUS-assigned ACL filters all inbound IP traffic from an authenticated client on a port, regardless of whether the traffic is to be switched or routed.

ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete edge security solution.

The ACLs described in this section do not screen non-IP traffic such as AppleTalk and IPX.

Table 4, highlights several key differences between the static ACLs configurable on 3400cl switch ports and the dynamic ACLs that can be assigned to individual ports by a RADIUS server. (The switch supports either one RADIUS-based ACL or one port-based ACL at a time on a given port. It does not support having both ACL types on the same port at the same time.)