Nas-Filter-Rule-Options - HP ProCurve 2910al Access Security Manual

Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
Table 6-4. Nas-Filter-Rule Attribute Options
Service Control Method and Operating Notes:
ACLs Applied to Client Standard Attribute: 92
Traffic Inbound to the
This is the preferred attribute for use in RADIUS-assigned ACLs to configure ACEs to filter IPv4
Switch
traffic.
Entry for IPv4-Only ACE To Filter Client Traffic:
Assigns a RADIUS-
configured ACL to
For example:
filter inbound packets
received from a
specific client
authenticated on a
switch port.
ACLs Applied to Client HP-Nas-Filter-Rule (Vendor-Specific Attribute): 61
Traffic Inbound to the
This attribute is maintained for legacy purposes to support ACEs in RADIUS-assigned ACLs.
Switch
However, for new or updated configurations HP recommends using the Standard Attribute (92)
Assigns a RADIUS- described earlier in this table instead of the HP-Nas-filter-Rule attribute described here.
configured IPv4 ACL
to filter inbound IPv4
HP (ProCurve) vendor-specific ID: 11
packets received from
VSA: 61 (string = HP-Nas-Filter-Rule
a specific client
authenticated on a
switch port. Setting: HP-Nas-filter-Rule = "< permit or deny ACE >"
6-18
Elements in a RADIUS-assigned ACL Configuration. A RADIUS-
assigned ACL configuration in a RADIUS server has the following elements:
■ vendor and ACL identifiers:
• ProCurve (HP) Vendor-Specific ID: 11
• Vendor-Specific Attribute for ACLs: 61 (string = HP-IP-FILTER-RAW)
• Setting: HP-IP-FILTER-RAW = < "permit" or "deny" ACE >
(Note that the "string" value and the "Setting" specifier are identical.)
■ ACL configuration, including:
• one or more explicit "permit" and/or "deny" ACEs created by the
system operator
• implicit deny any any ACE automatically active after the last operator-
created ACE

Nas-Filter-Rule-Options

Nas-filter-Rule = "< permit or deny ACE >" (Standard Attribute 92)
Nas-filter-Rule="permit in tcp from any to any"