Configuration Notes; Explicitly Permit Ipv4 And Ipv6 Traffic From An Authenticated Client; Explicitly Permit Only The Ipv4 Traffic From An Authenticated Client; Explicitly Deny Inbound Traffic From An Authenticated Client - HP 2530 Manual Supplement

Configuration notes

Explicitly permit IPv4 and IPv6 traffic from an authenticated client

This option for ending a RADIUS-assigned ACL permits all the client's inbound IPv4 and IPv6 traffic
not previously permitted or denied.
Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=1
See Table 10 (page 42)

Explicitly permit only the IPv4 traffic from an authenticated client

Any of the following three options for ending a RADIUS-assigned ACL explicitly permit all the
client's inbound IPv4 traffic not previously permitted or denied. These options also deny any of the
client's IPv6 traffic not previously permitted or denied.
Nas-filter-Rule += permit in ip from any to any
(Using this attribute to permit IPv4 traffic from the client while denying any IPv6
traffic from the client assumes that HP-Nas-Rules-IPv6=1 does not exist
elsewhere in the ACL. See
HP-Nas-Filter-Rule += permit in ip from any to any
Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=2

Explicitly deny inbound traffic from an authenticated client

All the following methods for ending a RADIUS-assigned ACL explicitly deny all the client's inbound
IPv4 and IPv6 traffic not previously permitted or denied.
Nas-filter-Rule += deny in ip from any to any
HP-Nas-Filter-Rule += deny in ip from any to any
Nas-filter-Rule += deny in ip from any to any HP-Nas-Rules-IPv6=2

Implicitly deny any IP traffic

For any packet filtered by a RADIUS-assigned ACL, there is always a match, as any packet without
a match with an explicit permit or deny ACE in the list will match with the implicit deny any any
ACE automatically included at the end of the ACL. (A RADIUS-assigned ACL includes an implicit
deny in ip from any to any ACE at the end of the ACL to deny any IPv4 and IPv6 traffic
not previously permitted or denied.)

Configuring the switch to support RADIUS-assigned ACLs

An ACL configured in a RADIUS server is identified by the authentication credentials of the client
or group of clients the ACL is designed to support. When a client authenticates with credentials
associated with a particular ACL, the switch applies that ACL to the switch port the client is using.
To enable the switch to forward a client's credentials to the RADIUS server, first configure RADIUS
operation and an authentication method on the switch as follows:
1. Configure RADIUS operation on the switch:
Syntax:
radius-server host <ipv4-address> key <key-string>
This command configures the IPv4 address and encryption key of a RADIUS server.
The server must be accessible to the switch and configured to support authentication
requests from clients using the switch to access the network.
for information on the above attributes.
Table 10 (page 42) for more on HP-Nas-Rules-IPv6.)
Configuring RADIUS server support for switch services 51