Support User Manuals

HP (Hewlett-Packard) 3400CL-24G Switch User Manual

Open as PDF

of 197

58

Enhancements

Release M.10.02 Enhancements

Configuring an ACL in a RADIUS Server

This section provides general guidelines for configuring a RADIUS server to specify RADIUS-based

ACLs. Also included is an example configuration for a FreeRADIUS server application. However, to

configure support for these services on a specific RADIUS server application, please refer to the

documentation provided with the application.

Elements in a RADIUS-Based ACL Configuration. A RADIUS-based ACL configuration in a

RADIUS server has the following elements:

■ vendor and ACL identifiers:

• ProCurve (HP) Vendor-Specific ID: 11

• Vendor-Specific Attribute for ACLs: 61 (string = HP-IP-FILTER-RAW)

• Setting: HP-IP-FILTER-RAW = < “permit” or “deny” ACE >

(Note that the “string” value and the “Setting” specifier are identical.)

■ ACL configuration, including:

• one or more explicit “permit” and/or “deny” ACEs created by the system operator

•implicit deny in ip from any to any ACE automatically active after the last operator-created

ACE

■ ACEs define the ACL for a given client:

• A given ACE configuration on a RADIUS server includes the identity of the client to

which it applies. That is, the ACE includes the client username/password pair or the

client device’s MAC address.

• All ACEs configured on a RADIUS server for the same client are interpreted as belonging

to the same ACL. (There is no ACL name or number configured on the RADIUS server.)

Example of Configuring a RADIUS-based ACL Using the FreeRADIUS Application. This

example illustrates one method for configuring RADIUS-based ACL support for two different client

identification methods (username/password and MAC address). For information on how to configure

this functionality on other RADIUS server types, refer to the documentation provided with the server.

1. Enter the HP vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file:

Per-Port Mask Usage ACLs consume per-port (internal) mask resources rapidly and can be affected by

IGMP usage on the same switch. For more on this topic, refer to the “ACL

Resource Usage and Monitoring” and “Extended ACLs” subsections in the

chapter titled “Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl

Switches” of the Advanced Traffic Management Guide for your 3400cl switch.

Item Limit Notes

previous next