| Security Measures
C
13
HAPTER
Network Access (MAC Address Authentication)
authenticated. On the RADIUS server, PAP user name and passwords
must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all
in upper case).
Authenticated MAC addresses are stored as dynamic entries in the
◆
switch secure MAC address table and are removed when the aging time
expires. The maximum number of secure MAC addresses supported for
the switch system is 1024.
◆
Configured static MAC addresses are added to the secure address table
when seen on a switch port. Static addresses are treated as
authenticated without sending a request to a RADIUS server.
When port status changes to down, all MAC addresses mapped to that
◆
port are cleared from the secure MAC address table. Static VLAN
assignments are not restored.
The RADIUS server may optionally return a VLAN identifier list to be
◆
applied to the switch port. The following attributes need to be
configured on the RADIUS server.
Tunnel-Type = VLAN
■
Tunnel-Medium-Type = 802
■
Tunnel-Private-Group-ID = 1u,2t
■
The VLAN identifier list is carried in the RADIUS "Tunnel-Private-Group-
ID" attribute. The VLAN list can contain multiple VLAN identifiers in the
format "1u,2t,3u" where "u" indicates an untagged VLAN and "t" a
tagged VLAN.
The RADIUS server may optionally return dynamic QoS assignments to
◆
be applied to a switch port for an authenticated user. The "Filter-ID"
attribute (attribute 11) can be configured on the RADIUS server to pass
the following QoS information:
Table 19: Dynamic QoS Profiles
Profile
Attribute Syntax
DiffServ
service-policy-in=policy-map-name
Rate Limit
rate-limit-input=rate
rate-limit-output=rate
802.1p
switchport-priority-default=value
IP ACL
ip-access-group-in=ip-acl-name
IPv6 ACL
ipv6-access-group-in=ipv6-acl-name
MAC ACL
mac-access-group-in=mac-acl-name
Multiple profiles can be specified in the Filter-ID attribute by using a
◆
semicolon to separate each profile.
For example, the attribute "service-policy-in=pp1;rate-limit-
input=100" specifies that the diffserv profile name is "pp1," and the
ingress rate limit profile value is 100 kbps.
– 332 –
[VLAN ID list]
Example
service-policy-in=p1
rate-limit-input=100 (Kbps)
rate-limit-output=200 (Kbps)
switchport-priority-default=2
ip-access-group-in=ipv4acl
ipv6-access-group-in=ipv6acl
mac-access-group-in=macAcl