Configuring An Acl In A Radius Server; Nas-Filter-Rule-Options - HP 2530 Manual Supplement

Configuring an ACL in a RADIUS server

This section provides guidelines for configuring a RADIUS server to specify RADIUS-assigned ACLs,
and includes a sample configuration for a FreeRADIUS server application. However, to configure
support for these services on a specific RADIUS server application, please see the documentation
provided with the application.
NOTE: This application requires a RADIUS server with an IPv4 address. Clients can be dual-stack,
IPv4-only or IPv6-only.
A RADIUS-assigned ACL configuration in a RADIUS server includes the following elements:
Nas-Filter-Rule attributes — standard and vendor-specific
ACL configuration, entered in the server, and associated with specific username/password
or MAC address criteria, and comprised of ACEs entered in the server
A RADIUS-assigned ACL includes:
One or more explicit permit or deny ACEs
An implicit deny in ip from any to any ACE automatically applied after the last
operator-created ACE

Nas-Filter-Rule-Options

Table 10 Nas-Filter-Rule Attribute Options
Service
ACLs Applied to Client Traffic
Inbound to the Switch
Assigns a RADIUS-configured ACL to
filter inbound packets received from
a specific client authenticated on a
switch port.
Set IP Mode
Used with the Nas-filter-Rule attribute
described above to provide IPv6
traffic-filtering capability in an ACE.
42 Updates for the HP Switch Software Access Security Guide
Control method and operating notes
Standard Attribute: 92
The preferred attribute for use in RADIUS-assigned ACLs to configure ACEs to
filter IPv4 and IPv6 traffic.
Entry for IPv4-Only ACE To Filter Client Traffic:
Nas-filter-Rule="< permit or deny ACE >"(Standard Attribute 92)
For example:
Nas-filter-Rule=permit in tcp from any to any
Entries for IPv4/IPv6 ACE to Filter Client Traffic:
HP-Nas-Rules-IPv6 <1 | 2> (VSA, where 1=IPv4 and IPv6
traffic, and 2=IPv4-only traffic.)
Nas-filter-Rule="<permit or deny ACE> "(Standard Attribute 92)
For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="permit in tcp from any to any"
Note: If HP-Nas-Rules-IPv6 is set to 2 or is not present in the ACL, IPv6
traffic from the client is dropped.
HP-Nas-Rules-IPv6: 63 (Vendor-Specific Attribute)
When using Standard Attribute (92) described above in a RADIUS-assigned
ACL to support both IPv4 and IPv6 traffic inbound from an authenticated client,
one instance of this VSA must be included in the ACL. Note that this attribute
supports either of the following IP modes for Nas-filter-Rule ACEs:
both IPv6 and IPv4 traffic
only IPv4 traffic
HP vendor-specific ID: 1 1