HP Manager Software manual Mapping User-Based ACLs

316CHAPTER 7: CONFIGURING AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING PARAMETERS

Mapping User-Based ACLs

When you map a user-based ACL, you can use any defined ACL, even if that ACL is also mapped to a port, VLAN, or virtual port.

You can set a Filter-Id authorization attribute at the RADIUS server or at the WX switch’s local database. The Filter-Id attribute is a security ACL name (or two ACL names) with the direction of the packets indicated. The security ACL mapped by Filter-Id instructs the WX switch to use its local definition of the ACL, including the flow direction, to filter packets for the authenticated user.

„If you are configuring Filter-ID attributes for a user in a WX switch’s local database, use the filter-id.in attribute to specify an inbound ACL and use the filter-id.out attribute to specify an outbound ACL.

„If you are configuring the attributes on a RADIUS server, MSS can receive the Filter-ID attribute with the Profile value for an inbound ACL and the OutboundACL for an outbound ACL. On the RADIUS server, the value field of filter-id can specify up to two ACLs. Any of the following are valid for MSS:

„filter-id = “Profile=acl1”

„filter-id = “OutboundACL=acl2”

„filter-id = “Profile=acl1 OutboundACL=acl2”

The format in which to enter these values depends on the RADIUS server.

The security ACLs mapped by Filter-Id instruct the WX switch to use its local definition of the ACL, including the flow direction, to filter packets for the authenticated user.

For more information about assigning attributes in the local WX database, see “Configuring User Authorization Attributes” on page 274. For more information about adding attributes to a RADIUS database, see your RADIUS documentation.