Table of Contents
Advertisement
Configuring Match Statements on the RADIUS Server
Copyright © 2010, Juniper Networks, Inc.
You can configure simple filter conditions using the
the Juniper dictionary on the RADIUS server. These filters are then sent to a switch
whenever a new user is authenticated successfully. The filters are created and applied
on all EX Series switches that authenticate users through that RADIUS server without
the need to configure anything on each individual switch.
To configure the
Juniper-Switching-Filter
and a resulting action using the CLI for the RADIUS server. Enter the match statement
plus an action statement enclosed within quotes (" ") using the following syntax:
match <destination-mac mac-address> <source-vlan vlan-name> <source-dot1q-tag
tag> <destination-ip ip-address> <ip-protocol protocol-id> <source-port port>
<destination-port port>
}
action [allow | deny] <forwarding-class class-of-service> <loss-priority (low | medium |
high)>
}
See "VSA Match Conditions and Actions" on page 2846 for definitions of match statement
options.
To configure match conditions on the RADIUS server:
Verify that the Juniper dictionary is loaded on your RADIUS server and includes the
1.
filtering attribute
Juniper-Switching-Filter
[root@freeradius]# cat /usr/local/share/freeradius/dictionary.juniper
#
dictionary.juniper
#
# Version:
$Id: dictionary.juniper,v 1.2.6.1 2005/11/30 22:17:25
aland Exp
$
#
VENDOR
BEGIN-VENDOR
Juniper
ATTRIBUTE
Juniper-Local-User-Name
ATTRIBUTE
Juniper-Allow-Commands
ATTRIBUTE
Juniper-Deny-Commands
ATTRIBUTE
Juniper-Allow-Configuration
ATTRIBUTE
Juniper-Deny-Configuration
ATTRIBUTE
Juniper-Switching-Filter
<—
Enter the match conditions and actions. For example:
2.
To deny authentication based on the 802.1Q tag (here, the 802.1Q tag is
[root@freeradius]#
cd /usr/local/etc/raddb
vi users
For each relevant user, add the
Juniper-Switching-Filter = "match source-dot1q-tag 10 action deny"
Chapter 89: Configuring Access Control
Juniper-Switching-Filter
attribute, enter one or more match conditions
, attribute ID 48:
Juniper
Juniper-Switching-Filter
attribute in
2636
1
string
2
string
3
string
4
string
5
string
48
string
10
):
attribute:
2839
Advertisement
Chapters
Table of Contents
Troubleshooting
