HP ProCurve 6400cl Series Access Security Manual page 172
Hide thumbs
Also See for ProCurve 6400cl Series:
- Management and configuration manual (508 pages) ,
- Installation and getting started manual (84 pages) ,
- Management manual (664 pages)
Table of Contents
Advertisement
RADIUS Authentication and Accounting
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
Note
1
Permit in ip from any to 11.11.11.42
2
Permit in tcp from any to 11.11.11.101 23
3
Deny in tcp from any to 11.11.11.0/24 23
4
Permit in tcp from any to 11.11.11.1/24 80
(
implicit deny in ip any to any
5
1.
Permits inbound IP traffic from the authenticated cl ent to the
destination address 11.11.11.42. Packets matching this criterion
are forwarded and are not compared to any later ACE in the list.
Packets not matching this criter
entry n the list.
i
2.
Permits nbound Telnet traffic from the authenticated client to
i
the destination address 11.11.11.101. Packets matching this
criterion are forwarded and are not compared to any later ACE
in the list. Packets not matching this criterion will be compared
to the next entry in the list.
3.
Denies nbound Telnet traffic from the authenticated client to
i
any IP address in the 11.11.11.0 network. Since packets
matching entry "2" wil never reach this ACE, the Telnet traffic
l
permitted by entry "2" will not be affected. Packets matching
this criterion will be denied and wil not be compared to any
later criteria in the st. Packets not matching this criterion will
li
be compared to the next entry in the l
Figure 6-12. Example of How a RADIUS-Based ACL Filters Packets
6-32
The order in which an ACE occurs in an ACL is significant. For example, if an
ACL contains six ACEs, but the first ACE is a "permit IP any", then the ACL
permits all IP traffic, and the remaining ACEs in the list do not apply, even if
they specify criteria that would make a match with any of the traffic permitted
by the first ACE.
For example, suppose you want to configure a RADIUS-based ACL to invoke
these policies in the 11.11.11.0 network:
1. Permit inbound client traffic with a DA of 11.11.11.42.
2. Permit inbound Telnet traffic for DA 11.11.11.101.
3. Deny inbound Telnet traffic for all other IP addresses in the 11.11.11.0
network.
4. Permit inbound HTTP traffic for any IP address in the 11.11.11.0 network.
5. Deny all other inbound traffic.
The following ACL model, when invoked by a client authenticating with the
credentials configured in the RADIUS server for this ACL, supports the above
case:
i
ion will
be compared to the next
l
ist.
)
4.
Permits inbound HTTP traffic from the authenticated c ent to
any address in the 11.11.11.1 network. Packets match ng this
criterion are permitted and are not compared to any later
criteria n the list. Packets not match ng this cr terion are
i
compared to the next entry in the l
5. This entry does not appear in an actua ACL, but is implic t as
the last entry n every ACL. Any inbound traffic from the
i
authenticated client that does not match any of the cr teria in
the ACL's preceding ACE entries wil be denied (dropped).
li
i
i
i
ist.
l
i
i
l
Advertisement
Table of Contents
