Enhancements

Release M.10.02 Enhancements

the client MAC address is the selection criteria, only the client having that MAC address can use the corresponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured with that client’s credentials to the port. The ACL then filters the client’s inbound IP traffic and denies (drops) any such traffic from the client that is not explicitly permitted by the ACL. (Every ACL ends with an implicit deny in ip from any to any (“deny any any”) ACE that denies IP traffic not specifically permitted by the ACL.) When the client session ends, the switch removes the RADIUS-based ACL from the client port.

When multiple clients supported by the same RADIUS server use the same credentials, they will all be serviced by different instances of the same ACL. (The actual traffic inbound from any client on the switch carries a source MAC address unique to that client. The RADIUS-based ACL uses this MAC address to identify the traffic to be filtered.)

Notes

On any ACL assigned to a port, there is an implicit deny in ip from any to any (“deny any any”) command that results in a default action to deny any inbound IP traffic that is not specifically permitted by the ACL. To reverse this default, use an explicit “permit any” as the last ACE in the ACL.

On a given port, RADIUS-based ACL filtering occurs only for the inbound traffic from the client whose authentication caused a RADIUS-based ACL assignment. Inbound traffic from any other source, including a second, authenticated client (on the same port) will be denied.

The Packet-filtering Process

Sequential Comparison and Action. When an ACL filters a packet from an authenticated client, it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it finds a match. The action indicated by the matching ACE (deny or permit) is then performed on the packet.

Implicit Deny. If a packet from the authenticated client does not have a match with the criteria in any of the ACEs in the ACL, the ACL denies (drops) the packet. If you need to override the implicit deny so that a packet (from the authenticated client) that does not have a match will be permitted, then you can use the “permit any” option as the last ACE in the ACL. This directs the ACL to permit (forward) packets that do not have a match with any earlier ACE listed in the ACL, and prevents these packets from being filtered by the implicit “deny any”. (Note that the “permit any” option applies only to packets from the client whose authentication caused the assignment of the ACL to the port.)

50