HP 3500yl Series Access Security Manual page 438
Switch software
Hide thumbs
Also See for 3500yl Series:
- Release notes (219 pages) ,
- Specifications (16 pages) ,
- Features (6 pages)
Table of Contents
Advertisement
IPv4 Access Control Lists (ACLs)
Overview
10-18
802.1X User-Based and Port-Based Applications. User-Based 802.1X
access control allows up to 32 individually authenticated clients on a given
port. Port-Based access control does not set a client limit, and requires only
one authenticated client to open a given port (and is recommended for
applications where only one client at a time can connect to the port).
If you configure 802.1X user-based security on a port and the RADIUS
■
response includes a RADIUS-assigned ACL for at least one authenti-
cated client, then the RADIUS response for all other clients authen-
ticated on the port must also include a RADIUS-assigned ACL.
Inbound IP traffic on the port from a client that authenticates without
receiving a RADIUS-assigned ACL will be dropped and the client will
be de-authenticated.
Using 802.1X port-based security on a port where the RADIUS
■
response to a client authenticating includes a RADIUS-assigned ACL,
different results can occur, depending on whether any additional
clients attempt to use the port and whether these other clients initiate
an authentication attempt. This option is recommended for applica-
tions where only one client at a time can connect to the port, and not
recommended for instances where multiple clients may access the
same port at the same time. For more information, refer to "802.1X
Port-Based Access Control" in the chapter titled "Configuring Port-
Based and User-Based Access Control (802.1X)" in the latest Access
Security Guide for your switch.
Operating Notes.
■
For RADIUS ACL applications using software release K.14.01 or
greater, the switch operates in a dual-stack mode, and a RADIUS-
assigned ACL can filter both IPv4 and IPv6 traffic. At a minimum, a
RADIUS-assigned ACL automatically includes the implicit deny for
both IPv4 and IPv6 traffic. Thus, an ACL configured on a RADIUS
server to filter IPv4 traffic will also deny inbound IPv6 traffic from an
authenticated client unless the ACL includes ACEs that permit the
desired IPv6 traffic. The reverse is true for a dynamic ACL configured
on RADIUS server to filter IPv6 traffic. (ACLs are based on the MAC
address of the authenticating client.) Refer to chapter 7, "Configuring
RADIUS Server Support for Switch Services".
To support authentication of IPv6 clients:
■
•
The VLAN to which the port belongs must be configured with an IPv6
address.
•
Connection to an IPv6-capable RADIUS server must be supported.
Hide quick links:
Advertisement
Chapters
Table of Contents
