The Packet-Filtering Process; Operating Rules For Radius-Assigned Acls - HP 2530 Manual Supplement

The packet-filtering process

Packet-filtering in an applied ACL is sequential, from the first ACE in the ACL to the implicit deny
any any following the last explicit ACE. This operation is the same regardless of whether the ACL
is applied dynamically from a RADIUS server or statically in the switch configuration.
CAUTION:
one aspect of maintaining network security. However, because ACLs do not provide user or device
authentication or protection from malicious manipulation of data carried in IP packet transmissions,
do not rely on them for a complete security solution.
NOTE: If a RADIUS-assigned ACL permits an authenticated client's inbound IP packet, but the
client port is also configured with a static port ACL or belongs to a VLAN for which there is an
inbound, VLAN-based ACL configured on the switch, then the packet is also filtered by these other
ACLs. If there is a match with a deny ACE in any of these ACLs, the switch drops the packet.

Operating rules for RADIUS-assigned ACLs

Relating a client to a RADIUS-assigned ACL: A RADIUS-assigned ACL for a particular client
must be configured in the RADIUS server under the authentication credentials the server should
expect for that client. If the client must authenticate using 802.1X and/or web-based
authentication, the username/password pair forms the credential set. If authentication is
through MAC Authentication, then the client MAC address forms the credential set. See
"Configuring an ACL in a RADIUS server" (page
Multiple clients using the same username/password pair: Multiple clients using the same
username/password pair use duplicate instances of the same ACL.
Limits for ACEs in RADIUS-assigned ACLs: The switch supports up to 80 characters in a single
ACE.
CAUTION:
Effect of other, statically configured ACLs: If port 5 belongs to VLAN "Y" and has a
RADIUS-assigned ACL to filter inbound traffic from an authenticated client, and port 5 is also
configured with IPv4 and IPv6 static port ACLs, and VLAN "Y" is statically configured with
IPv4 and IPv6 ACLs, then IP traffic entering the switch on port B1 from the client and having
a match with a deny ACE configured in any of the previously mentioned ACLs is dropped.
Effect of RADIUS-assigned ACLs on inbound traffic for multiple clients on the same port: On a
port configured for 802.1X user-based access where multiple clients are connected, if a given
client's authentication creates a RADIUS-assigned ACL, then authentication of any other client
concurrently using the port must also include a RADIUS-assigned ACL. Thus, if a RADIUS server
is configured to assign a RADIUS-assigned ACL when client "X" authenticates, but is not
configured to do the same for client "Y" on the same port, then traffic from client "Y" is blocked
whenever client "X" is authenticated on the port (and client "Y" is de-authenticated). Thus, if
multiple clients are authenticated on a port, a separate RADIUS-assigned ACL (or a separate
assignment instance of the same ACL) must be applied for each authenticated client. Inbound
IP traffic from any client whose authentication does not create a RADIUS-assigned ACL is
blocked and the client is de-authenticated. Also, if 802.1X port-based access is configured
on the port, only one client can be authenticated on the port at any given time. In this case,
no other inbound client traffic is allowed. For more on this topic, see "Static Port ACL
Applications" and "An IPv4 static port ACL filters any IPv4 traffic inbound on the designated
port, Multiple ACLs on an Interface" in the HP Switch Software Access Security Guide for your
switch.
ACLs can enhance network security by blocking selected IP traffic, and can serve as
Exceeding this limit causes the related client authentication to fail.
42).
Configuring RADIUS server support for switch services 41