Configuring RADIUS Server Support for Switch Services

Configuring and Using RADIUS-Assigned Access Control Lists

 

the same username/password pair. Where the client MAC address is the

 

selection criteria, only the client having that MAC address can use the corre­

 

sponding ACL. When a RADIUS server authenticates a client, it also assigns

 

the ACL configured with that client’s credentials to the port. The ACL then

 

filters the client’s inbound IP traffic and denies (drops) any such traffic that

 

is not explicitly permitted by the ACL. (Every ACL ends with an implicit deny

 

in ip from any to any (“deny any any”) ACE that denies IP traffic not specifically

 

permitted by the ACL.) When the client session ends, the switch removes the

 

RADIUS-assigned ACL from the client port.

 

 

Notes

Included in any RADIUS-assigned ACL, there is an implicit deny in ip from any

 

to any (“deny any any”) command that results in a default action to deny any

 

inbound IP traffic that is not specifically permitted by the ACL. To override

 

this default, use an explicit permit in ip from any to any (“permit any any”) as the

 

last ACE in the ACL. This will only apply to the authenticated client; the default

 

ip deny any any applies to all other IPv4 traffic.

 

On a given port, RADIUS-assigned ACL filtering applies to all IPv4 traffic once

 

a client is authenticated.

 

Multiple Clients Sharing the Same RADIUS-Assigned ACL. When

 

 

multiple clients supported by the same RADIUS server use the same creden­

 

tials, they will all be serviced by different instances of the same ACL. (The

 

actual IP traffic inbound from any client on the switch carries a source MAC

 

address unique to that client. The RADIUS-assigned ACL uses this MAC

 

address to identify the traffic to be filtered.)

 

Multiple ACL Application Types on an Interface. The switch allows

 

simultaneous use of all supported ACL application types on an interface.

General ACL Features, Planning, and Configuration

These steps suggest a process for using RADIUS-assigned ACLs to establish access policies for client IP traffic.

1. Determine the polices you want to enforce for authenticated client traffic inbound on the switch.

2. Plan ACLs to execute traffic policies:

• Apply ACLs on a per-client basis where individual clients need differ­ ent traffic policies or where each client must have a different user- name/password pair or will authenticate using MAC authentication.

• Apply ACLs on a client group basis where all clients in a given group can use the same traffic policy and the same username/password pair.

6-15