Enhancements

Release M.10.02 Enhancements

Displaying the Current RADIUS-Based ACL Activity on the Switch

These commands output data indicating the current ACL activity imposed per-port by RADIUS server responses to client authentication.

Syntax: show access-list radius < port-list>

For the specified ports, this command lists the explicit ACEs, switch port, and client MAC address for the ACL dynamically assigned by a RADIUS server as a response to client authentication. If cnt (counter) is included in an ACE, then the output includes the current number of inbound packet matches the switch has detected in the current session for that ACE.

Note: If there are no ACLs currently assigned to any port in < port-list>, executing this command returns the following message:

Port < port-#>, No RADIUS ACLs applied on this port.

If a client authenticates but the server does not return a RADIUS-based ACL to the client port, then the server does not have a valid ACL configured and assigned to that client’s authentication credentials.

For example, the following output shows that a RADIUS server has assigned an ACL to port 10 to filter inbound traffic from an authenticated client identified by a MAC address of 00-11-85-C6-54-7D.

ProCurve# show access-list radius 10

Radius-configured Port-based ACL for Port 10, Client -- 001185C6547D

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

deny in tcp from any

to 10.15.240.184 23 cnt

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Packet Hit Counter

 

 

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

deny in tcp from any

to 10.15.240.184 80 cnt

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Packet Hit Counter

:

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

permit in tcp from any

to 10.15.240.184 7

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

permit in udp from any

 

to

 

 

10.15.240.184 7

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

deny in tcp from

any

 

to 10.15.240.184 161 cnt

 

 

 

Packet Hit Counter

:

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

deny in udp from any

to 10.15.240.184 161 cnt

 

 

 

Packet Hit Counter

:

0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

permit in ip from any to any

Indicates MAC address identity of the authenticated client on the specified port. This data identifies the client to which the ACL applies.

Lists “deny” ACE for Inbound Telnet (23 = TCP port number) traffic, with counter configured to show the number of matches detected.

Lists current counter for the preceeding “Deny” ACE.

Lists “permit” ACE for inbound TCP and UDP traffic, with no counters configured.

Note that the implicit “deny any/any” included automatically at the end of every ACL is not visible in ACL listings generate by the switch.

Figure 9. Example Showing a RADIUS-Based ACL Application to a Currently Active Client Session

64