HP ProCurve 6400cl Series Access Security Manual page 166
Hide thumbs
Also See for ProCurve 6400cl Series:
- Management and configuration manual (508 pages) ,
- Installation and getting started manual (84 pages) ,
- Management manual (664 pages)
Table of Contents
Advertisement
RADIUS Authentication and Accounting
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
Note
RADIUS-Based (Dynamic) ACLs
Configured in client accounts on a RADIUS server.
Designed for use on the edge of the network where filtering
of inbound traffic is most important and where clients with
differing access requirements are likely to use the same
port at different times.
Implementation requires client authentication.
Identified by the credentials (username/password pair or
the MAC address) of the specific client the ACL is intended
to service.
Supports dynamic assignment to filter only the inbound IP
traffic from an authenticated client on the port to which the
client is connected. (Traffic can be routed or switched, and
includes traffic having a DA on the switch itself.)
When the authenticated client session ends, the switch
removes the RADIUS-assigned ACL from the client port.
Supports a maximum of two RADIUS-based ACLs on a port.
(Each ACL supports one authenticated client.)
6-26
clients from using TCP or UDP applications (such as Telnet, SSH, Web
browser, and SNMP) if you do not want their access privileges to include these
capabilities.
A RADIUS-assigned ACL filters all inbound IP traffic from an authenticated
client on a port, regardless of whether the traffic is to be switched or routed.
(VLAN-based ACLs configurable on 5300xl switches filter only routed traffic
and traffic with a destination address—DA—on the switch itself.)
ACLs enhance network security by blocking selected IP traffic, and can serve
as one aspect of network security. However, because ACLs do not protect
from malicious manipulation of data carried in IP packet transmissions, they
should not be relied upon for a complete edge security solution.
The ACLs described in this section do not screen non-IP traffic such as
AppleTalk and IPX.
Table 6-2, below, highlights several key differences between the static ACLs
configurable on 5300xl switch VLANs and the dynamic ACLs that can be
assigned to individual ports by a RADIUS server.
Table 6-2.
Contrasting Dynamic and Static ACLs
VLAN-Based (Static) ACLs
Configured in the switch itself.
Designed for general use where the filtering needs for
traffic to or from connected devices are predictable and
largely static.
Client authentication not a factor.
Identified by a number in the range of 1-199 or an
alphanumeric name.
Supports static assignments to filter either inbound or
outbound for all ports in the assigned VLAN, routed IP traffic,
and inbound IP traffic having a DA on the switch itself.
Remains statically assigned to the VLAN unless removed by
a no vlan < vid > ip access-group CLI command.
Supports one inbound ACL and one outbound ACL per-
VLAN.
Advertisement
Table of Contents
