Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
Operating Rules for RADIUS-Assigned ACLs
■ Relating a Client to a RADIUS-Assigned ACL: A RADIUS-assigned
ACL for a particular client must be configured in the RADIUS server under
the authentication credentials the server should expect for that client. (If
the client must authenticate using 802.1X and/or Web Authentication, the
username/password pair forms the credential set. If authentication is
through MAC Authentication, then the client MAC address forms the
credential set.) For more on this topic, refer to “Configuring an ACL in a
RADIUS Server” on page 6-17.
■ Multiple Clients Using the Same Username/Password Pair: Multiple
clients using the same username/password pair will use duplicate
instances of the same ACL.
■ Limits for ACEs in RADIUS-assigned ACLs: The switch supports up
to 80 characters in a single ACE. Exceeding this limit causes the related
client authentication to fail.
■ Effect of RADIUS-assigned ACLs on Inbound Traffic for Two Cli-
ents on the Same Port: On a port configured for 802.1X user-based
access where up to two clients are connected, if a given client’s authenti-
cation results in a RADIUS-assigned ACL assignment, then the authenti-
cation of the other client concurrently using the port must also include a
RADIUS-assigned ACL assignment. Thus, if a RADIUS server is configured
to assign a RADIUS-assigned ACL when client “X” authenticates, but is
not configured to do the same for client “Y”, then traffic from client “Y”
will be blocked whenever client “X” is authenticated on the port (and
client “Y” will be deauthenticated). For this reason, if two clients are
authenticated on a port, a separate RADIUS-assigned ACL must be
assigned by a RADIUS server for each authenticated client. Inbound IP
traffic from a client whose authentication does not result in a RADIUS-
assigned ACL assignment will be blocked and the client will be deauthen-
ticated. Also, if 802.1X port-based access is configured on the port, only
one client can be authenticated on the port at any given time. In this case,
no other inbound client traffic is allowed.
Configuring an ACL in a RADIUS Server
This section provides general guidelines for configuring a RADIUS server to
specify RADIUS-assigned ACLs. Also included is an example configuration for
a FreeRADIUS server application. However, to configure support for these
services on a specific RADIUS server application, please refer to the docu-
mentation provided with the application.
6-17
