Acl Assignment; Redirect Url Assignment - HPE FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
Table 14 VSI manipulation
Authentication status
A user fails MAC authentication because all the
RADIUS servers are unreachable.
A user in the MAC authentication critical VSI
fails MAC authentication for any reason other
than server unreachable.
A user in the MAC authentication critical VSI
passes MAC authentication.
ACL assignment
You can specify an authorization ACL in the user account for a MAC authentication user to control
the user's access to network resources. After the user passes MAC authentication, the
authentication server (local or remote) assigns the authorization ACL to the access port of the user.
The ACL will filter traffic for this user. You must configure ACL rules for the authorization ACL on the
access device for the ACL assignment feature.
After receiving an ACl from the server, the device will check the following parameters defined in the
ACL rules:
•
Source MAC address.
•
Source IP address.
•
Destination IP address.
•
Protocol type.
•
Ethernet type.
•
Source port.
•
Destination port.
•
DSCP priority.
For more information about these parameters, see ACL and QoS Command Reference.
If the specified ACL contains ACL rules matching source MAC addresses, make sure the source
MAC addresses cover the MAC address of the user. This setting ensures a successful ACL
assignment.
To change the access control criteria for the user, you can use one of the following methods:
•
Modify ACL rules on the access device.
•
Specify another authorization ACL on the authentication server.
For more information about ACLs, see ACL and QoS Configuration Guide.
Redirect URL assignment
The device supports the URL attribute assigned by a RADIUS server. During MAC authentication,
the HTTP or HTTP requests of a user is redirected to the Web interface specified by the
server-assigned URL attribute. After the user passes the Web authentication, the RADIUS server
VSI manipulation
The VTEP maps the MAC address and the access VLAN
of the user to the MAC authentication critical VSI.
The user is still in the MAC authentication critical VSI if the
user fails MAC reauthentication because all the RADIUS
servers are unreachable.
If no MAC authentication critical VSI is configured, the
VTEP logs off the user.
If a guest VSI has been configured, the VTEP maps the
MAC address of the user to the guest VSI.
If no guest VSI is configured, the VTEP logs off the user.
The VTEP remaps the MAC address of the user to the
authorization VSI assigned by the authentication server.
143
Advertisement
Table of Contents
Troubleshooting
