Filter
Top Products
Mapping Security ACLs 391
To map a security ACL to a user session, follow these steps:
1 Create the security ACL. For example, to filter packets coming from
192.168.253.1 and going to 192.168.253.12,
type the following:
WX1200# set security acl ip acl-222 permit
ip 192.168.253.1 0.0.0.0 198.168.253.12 0.0.0.0
hits
2 Commit the security ACL to the running configuration. For example, to
commit acl-222, type the following command:
WX1200# commit security acl acl-222
success: change accepted.
3 Apply the Filter-Id authentication attribute to a user’s session via an
external RADIUS server. For instructions, see the documentation for your
RADIUS server.
If the Filter-Id value returned through the authentication and
authorization process does not match the name of a committed security
ACL in the WX, the user fails authorization and cannot be authenticated.
4 Alternatively, authenticate the user with the Filter-Id attribute in the WX
switch’s local database. Use one of the commands shown in Table 33.
Specify .in for incoming packets or .out for outgoing packets.
When assigned the Filter-Id attribute, an authenticated user with a
current session receives packets based on the security ACL. For example,
to restrict incoming packets for Natasha to those specified in acl-222,
type the following command:
WX1200# set user Natasha attr filter-id acl-222.in
success: change accepted.
You can also map a security ACL to a user group. For details, see
“Assigning a Security ACL to a User or a Group” on page 494. For more
information about authenticating and authorizing users, see “About
Administrative Access” on page 54 and “AAA Tools for Network Users”
on page 441.
Table 33 Mapping Commands
Mapping Target Commands
User authenticated by
a password
set user username attr filter-id acl-name.in
set user username attr filter-id acl-name.out
User authenticated by
a MAC address
set mac-user username attr filter-id acl-name.in
set mac-user username attr filter-id acl-name.out