How A Radius Server Applies A Radius-Assigned Acl To A Client On A Switch Port - HP 2530 Manual Supplement

Table 9 Contrasting dynamic (RADIUS-assigned) and static ACLs (continued)
Dynamic RADIUS-assigned ACLs
Supports IPv6 ACLs and IPv4 extended ACLs.
A given RADIUS-assigned ACL operates on a port to filter
only the IP traffic entering the switch from the authenticated
client corresponding to that ACL, and does not filter IP
traffic inbound from other authenticated clients. (The traffic
source is not a configurable setting.)
Requires client authentication by a RADIUS server
configured to dynamically assign an ACL to a client on a
switch port, based on client credentials.
ACEs allow a counter (cnt) option that causes a counter to
increment when there is a packet match.
CAUTION:
IPv4 source routing is enabled by default on the switch and can be used to override IPv4 ACLs. If
you are using IPv4 ACLs to enhance network security, use the no ip source-route command
to disable source routing on the switch. (If source routing is disabled in the running-config file, the
show running command includes "no ip source-route" in the running-config file listing.)

How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port

A RADIUS-assigned ACL configured on a RADIUS server is identified and invoked by the unique
credentials (username/password pair or a client MAC address) of the specific client the ACL is to
service. Where the username/password pair is the selection criteria, the corresponding ACL can
also be used for a group of clients that all require the same ACL policy and use the same
username/password pair. Where the client MAC address is the selection criterion, only the client
having that MAC address can use the corresponding ACL. When a RADIUS server authenticates
a client, it also assigns the ACL configured with that client's credentials to the client's port. The
ACL then filters the client's inbound IP traffic and denies (drops) any such traffic that is not explicitly
permitted by the ACL.
If the filter rule used for a RADIUS-based ACL is one of the options that specifies only IPv4
traffic, then the ACL will implicitly deny any inbound IPv6 traffic from the authenticated client.
If the filter rule used for a RADIUS-based ACL is the option for specifying both IPv4 and IPv6
traffic, then the ACL filters both IP traffic types according to the ACEs included in the
RADIUS-assigned ACL.
When the client session ends, the switch removes the RADIUS-assigned ACL from the client port.
Use of IPv4 Source Routing:
Static port and VLAN ACLs
Supports IPv6 ACLs and standard, extended, and
connection-rate IPv4 ACLs.
A static port ACL can be applied on a port to filter either
IPv4 or IPv6 traffic entering the switch through that port.
No client authentication requirement.
The show statistics command includes options for
displaying the packet match count, see "Monitoring Static
ACL Performance" in the HP Switch Software Access
Security Guide for your switch.
Also, ACEs allow a log option that generates a log
message whenever there is a packet match with a "deny"
ACE.
Configuring RADIUS server support for switch services 39