Multiple Clients Sharing The Same Radius-Assigned Acl; Effect Of Multiple Acl Application Types On An Interface; Acl Features, Planning, And Configuration - HP 2530 Manual Supplement

NOTE:
Implicit Deny
Multiple clients in a RADIUS-assigned
ACL environment

Multiple clients sharing the same RADIUS-assigned ACL

When multiple clients supported by the same RADIUS server use the same credentials, they are all
serviced by different instances of the same ACL. (The actual IP traffic inbound from any client on
the switch carries a source MAC address unique to that client; the RADIUS-assigned ACL uses this
MAC address to identify the traffic to be filtered.)

Effect of multiple ACL application types on an interface

The switch allows simultaneous use of all supported ACL application types on an interface. Thus
a static ACL assigned to an interface filters authenticated client traffic, regardless of whether a
RADIUS-assigned ACL is also filtering the client's traffic. For more information, see "An IPv4 static
port ACL filters any IPv4 traffic inbound on the designated port, Multiple ACLs on an Interface" in
the latest HP Switch Software Access Security Guide for your switch.

ACL features, planning, and configuration

The following steps outline a process for using RADIUS-assigned ACLs to establish access policies
for client IP traffic.
1. Determine the polices you want to enforce for authenticated client traffic inbound on the switch.
2. Plan ACLs to execute traffic policies:
Apply ACLs on a per-client basis where individual clients need different traffic policies
or where each client must have a different username/password pair or will use MAC
authentication.
Apply ACLs on a client group basis where all clients in a given group can use the same
traffic policy and the same username/password pair.
3. Configure the ACLs on a RADIUS server accessible to the intended clients.
4. Configure the switch to use the desired RADIUS server and support the desired client
authentication scheme using 802.1X, web-based authentication, or MAC authentication. (Note
that the switch can simultaneously use 802.1X with either web-based or MAC authentication.)
5. Test client access on the network to ensure that your RADIUS-assigned ACL application is
properly enforcing your policies.
For further information common to all IPv4 or IPv6 ACL applications, see the latest versions of the
HP Switch Software IPv6 Configuration Guide for your switch.
40 Updates for the HP Switch Software Access Security Guide
Every RADIUS-assigned ACL ends with an implicit deny
in ACE for both IPv4 and IPv6 traffic. This implicit ACE
denies any IP traffic that is not specifically permitted. To
override this default, configure an explicit permit in ip
from any to any as the ACL's last explicit ACE.
Where multiple clients are authenticated on the same port,
if any of the clients has a RADIUS-assigned ACL, then all
the authenticated clients on the port must have a
RADIUS-assigned ACL. In this case, the switch drops the IP
traffic from any authenticated client that does not have a
RADIUS-assigned ACL, and de-authenticates that client.