Ace Syntax In Radius Servers - HP 3500yl Series Access Security Manual
Switch software
Hide thumbs
Also See for 3500yl Series:
- Release notes (219 pages) ,
- Specifications (16 pages) ,
- Features (6 pages)
Table of Contents
Advertisement
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
ACE Syntax
Nas-filter-Rule ="< permit | deny > in <ip | ip-protocol-value > from any to
(Standard
< any | host < ip-addr > | ipv4-addr/mask | IPv6-address/prefix >
Attribute-92)
[ < tcp/udp-port | tcp/udp-port range > | icmp-type ] [cnt ]"
IPv6 VSA for
[ HP-Nas-Rules-IPv6=< 1 | 2 >]
Standard
(For an example of how to apply this VSA, refer to figure 7-8 on page 7-32.)
Attribute
ACE Syntax
HP-Nas-filter-Rule="< permit | deny > in <ip | ip-protocol-value > from any to
(Legacy VSA-
< any | host < ip-addr > | ipv4-addr/mask > [ < tcp/udp-port | tcp/udp-port range > | icmp-type ] [cnt ]"
61)
Nas-filter-Rule =
client. When used without the HP VSA option (below) for filtering inbound IPv6 traffic
from the client, drops the IPv6 traffic. Refer also to table 7-7, "Nas-Filter-Rule Attribute
Options" on page 7-24.
[ HP-Nas-Rules-IPv6=< 1 | 2 >]:
include:
– 1
: ACE filters both IPv4 and IPv6 traffic.
– 2
: ACE filters IPv4 traffic and drops IPv6 traffic.
– VSA not used: ACE filters IPv4 traffic and drops IPv6 traffic.
This VSA must be present in an ACL where the Nas-filter-Rule= attribute is intended to
filter inbound IPv6 traffic from an authenticated client. Refer also to table 7-7, "Nas-Filter-
Rule Attribute Options" on page 7-24.
HP-Nas-filter-Rule = :
authenticated client. Drops inbound IPv6 traffic from the client. Refer also to table 7-7,
"Nas-Filter-Rule Attribute Options" on page 7-24.
"
"
. . .
: Must be used to enclose and identifies a complete permit or deny ACE syntax
statement. For example:
< permit | deny >: Specifies whether to forward or drop the identified IP traffic type from the
authenticated client. (For information on explicitly permitting or denying all inbound IP
traffic from an authenticated client, or for implicitly denying all such IP traffic not already
permitted or denied, refer to "Configuration Notes" on page 7-35.)
in: Required keyword specifying that the ACL applies only to the traffic inbound from the
authenticated client.
< ip | ip-protocol-value >: Options for specifying the type of traffic to filter.
ip: Applies the ACE to all IP traffic from the authenticated client.
ip-protocol-value:
a protocol number or by
numbers is 0-255. (Protocol numbers are defined in RFC 2780. For a complete listing,
refer to "Protocol Registries" on the Web site of the Internet Assigned Numbers
Authority at www.iana.com.) Some examples of protocol numbers include:
1 = ICMP
2 = IGMP (IPv4 only)
6 = TCP
7-26
ACE Syntax in RADIUS Servers
This section describes ACE syntax configuration options in a RADIUS server.
: Standard attribute for filtering inbound IPv4 traffic from an authenticated
HP VSA used in an ACL intended to filter IPv6 traffic. Settings
Legacy HP VSA for filtering inbound IPv4 traffic only from an
Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"
This option applies the ACE to the type of IP traffic specified by either
tcp
,
udp
17 = UDP
41 = IPv6
,
icmp
, or (for IPv4-only)
igmp.
The range of protocol
Hide quick links:
Advertisement
Chapters
Table of Contents
