Filter
Top Products
53
Enhancements
Release M.10.02 Enhancements
For example, suppose you want to configure a RADIUS-based ACL to invoke these policies in the
11.11.11.0 network:
1. Permit inbound client traffic with a DA of 11.11.11.42.
2. Permit inbound Telnet traffic for DA 11.11.11.101.
3. Deny inbound Telnet traffic for all other IP addresses in the 11.11.11.0 network.
4. Permit inbound HTTP traffic for any IP address in the 11.11.11.0 network.
5. Deny all other inbound traffic.
The following ACL model, when invoked by a client authenticating with the credentials configured
in the RADIUS server for this ACL, supports the above case:
Figure 5. Example of How a RADIUS-Based ACL Filters Packets
Overriding the Implicit “deny IP any any”. RADIUS-based ACLs include an implicit “deny IP
any any”. That is, packets received inbound from an authenticated client that the ACL does not
explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded. If
you want the port to permit all inbound IP traffic (from the authenticated client) that the ACL does
not explicitly permit or deny, insert a permit in ip from any to any (“permit any any”) as the last explicit
entry in the ACL. (Inbound traffic from a client other than the client whose authentication caused
the ACL assignment to the port is dropped.)
4
2. Permits inbound Telnet traffic from the authenticated client to
the destination address 11.11.11.101. Packets matching this
criterion are forwarded and are not compared to any later ACE
in the list. Packets not matching this criterion will be compared
to the next entry in the list.
1. Permits inbound IP traffic from the authenticated client to the
destination address 11.11.11.42. Packets matching this criterion
are forwarded and are not compared to any later ACE in the list.
Packets not matching this criterion will be compared to the next
entry in the list.
4. Permits inbound HTTP traffic from the authenticated client to
any address in the 11.11.11.1 network. Packets matching this
criterion are permitted and are not compared to any later
criteria in the list. Packets not matching this criterion are
compared to the next entry in the list.
5. This entry does not appear in an actual ACL, but is implicit as
the last entry in every ACL. Any inbound traffic from the
authenticated client that does not match any of the criteria in
the ACL’s preceding ACE entries will be denied (dropped).
1
2
3
5
Permit in ip from any to 11.11.11.42
Permit in tcp from any to 11.11.11.101 23
Deny in tcp from any to 11.11.11.0/24 23
Permit in tcp from any to 11.11.11.1/24 80
(implicit deny in ip any to any)
3. Denies inbound Telnet traffic from the authenticated client to
any IP address in the 11.11.11.0 network. Since packets
matching entry “2” will never reach this ACE, the Telnet traffic
permitted by entry “2” will not be affected. Packets matching
this criterion will be denied and will not be compared to any
later criteria in the list. Packets not matching this criterion will
be compared to the next entry in the list.