Enhancements

Release M.10.02 Enhancements

For example, suppose you want to configure a RADIUS-based ACL to invoke these policies in the 11.11.11.0 network:

1.Permit inbound client traffic with a DA of 11.11.11.42.

2.Permit inbound Telnet traffic for DA 11.11.11.101.

3.Deny inbound Telnet traffic for all other IP addresses in the 11.11.11.0 network.

4.Permit inbound HTTP traffic for any IP address in the 11.11.11.0 network.

5.Deny all other inbound traffic.

The following ACL model, when invoked by a client authenticating with the credentials configured in the RADIUS server for this ACL, supports the above case:

1Permit in ip from any to 11.11.11.42

2Permit in tcp from any to 11.11.11.101 23

3Deny in tcp from any to 11.11.11.0/24 23

4Permit in tcp from any to 11.11.11.1/24 80

5(implicit deny in ip any to any)

1.Permits inbound IP traffic from the authenticated client to the destination address 11.11.11.42. Packets matching this criterion are forwarded and are not compared to any later ACE in the list. Packets not matching this criterion will be compared to the next entry in the list.

2.Permits inbound Telnet traffic from the authenticated client to the destination address 11.11.11.101. Packets matching this criterion are forwarded and are not compared to any later ACE in the list. Packets not matching this criterion will be compared to the next entry in the list.

3.Denies inbound Telnet traffic from the authenticated client to any IP address in the 11.11.11.0 network. Since packets matching entry “2” will never reach this ACE, the Telnet traffic permitted by entry “2” will not be affected. Packets matching this criterion will be denied and will not be compared to any later criteria in the list. Packets not matching this criterion will be compared to the next entry in the list.

4.Permits inbound HTTP traffic from the authenticated client to any address in the 11.11.11.1 network. Packets matching this criterion are permitted and are not compared to any later criteria in the list. Packets not matching this criterion are compared to the next entry in the list.

5.This entry does not appear in an actual ACL, but is implicit as the last entry in every ACL. Any inbound traffic from the authenticated client that does not match any of the criteria in the ACL’s preceding ACE entries will be denied (dropped).

Figure 5. Example of How a RADIUS-Based ACL Filters Packets

Overriding the Implicit “deny IP any any”. RADIUS-based ACLs include an implicit “deny IP any any”. That is, packets received inbound from an authenticated client that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded. If you want the port to permit all inbound IP traffic (from the authenticated client) that the ACL does not explicitly permit or deny, insert a permit in ip from any to any (“permit any any”) as the last explicit entry in the ACL. (Inbound traffic from a client other than the client whose authentication caused the ACL assignment to the port is dropped.)

53