HP 3400CL-24G manual Operating Rules for RADIUS-Based ACLs

Enhancements

Release M.10.02 Enhancements

■Explicitly Denying Any IP Traffic: Entering a deny in ip from any to any ACE in an ACL denies all IP traffic not previously permitted or denied by that ACL. Any ACEs listed after that point have no effect.

■Implicitly Denying Any IP Traffic: For any packet being filtered by an ACL, there will always be a match. Included in every ACL is an implicit deny in ip from any to any. This means that the ACL denies any IP packet it filters that does not have a match with an explicitly configured ACE. Thus, if you want an ACL to permit any packets that are not explicitly denied, you must configure permit in ip from any to any as the last explicit ACE in the ACL. Because, for a given packet, the switch sequentially applies the ACEs in an ACL until it finds a match, any packet that reaches the permit in ip from any to any entry will be permitted, and will not reach the implicit deny in ip from any to any ACE that is included at the end of the ACL. For an example, refer to Figure 5 on page 53.

■Determine the order in which you want the individual ACEs in the ACL to filter inbound traffic from a client. A general guideline is to arrange the ACEs in the expected order of decreasing application frequency. This will result in the most prevalent traffic types finding a match earlier in the ACL than traffic types that are more infrequent, thus saving processing cycles.

Operating Rules for RADIUS-Based ACLs

■ACL Assignments Per-Port:One RADIUS-assigned ACL is allowed per-port.

■Port Trunks Excluded: RADIUS-assigned ACLs cannot be assigned to a port trunk.

■Relating a Client to a RADIUS-Based ACL: A RADIUS-based ACL for a particular client must be configured in the RADIUS server under the authentication credentials the server should expect for that client. (If the client must authenticate using 802.1X and/or Web Authentication, the username/password pair forms the credential set. If authentication is through MAC Authentication, then the client MAC address forms the credential set.) For more on this topic, refer to “Configuring an ACL in a RADIUS Server” on page 58.

■Multiple Clients Using the Same Username/Password Pair: Multiple clients using the same username\password pair will use duplicate instances of the same ACL.

■RADIUS-Based ACL Not Allowed on a Port that has a Statically-Configured ACL: Where a RADIUS server is configured to assign an ACL when a given client authenticates, if the port used by that client is already statically configured with a port-based ACL in the switch configuration, then the RADIUS-based ACL is not accepted and the client is de- authenticated.

■A RADIUS-Based ACL Affects Only the Inbound Traffic from a Specific, Authenti- cated Client: A RADIUS-based ACL assigned to a port as the result of a client authenticating on that port applies only to the inbound traffic received on that port from that client. It does not affect the traffic received from any other authenticated clients on that port, and does not affect any outbound traffic on that port.

56