Overview Of Radius-Assigned, Dynamic Acls - HP ProCurve 6120G/XG Manual

Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists

Overview of RADIUS-Assigned, Dynamic ACLs

RADIUS-assigned ACLs enhance network and switch management access
security and traffic control by permitting or denying authenticated client
access to specific network resources and to the switch management interface.
This includes preventing clients from using TCP or UDP applications (such as
Telnet, SSH, Web browser, and SNMP) if you do not want their access privi­
leges to include these capabilities.
This feature is designed for use on the network edge to accept RADIUS-
assigned, per-port ACLs for Layer-3 filtering of IP traffic entering the switch
from authenticated clients. A given RADIUS-assigned ACL is identified by a
unique username/password pair or client MAC address, and applies only to IP
traffic entering the switch from clients that authenticate with the unique
credentials. The switch allows multiple RADIUS-assigned ACLs on a given
port, up to the maximum number of authenticated clients allowed on the port.
A RADIUS-assigned ACL filters IP traffic entering the switch from the client
whose authentication initiated the ACL assignment. Filtering criteria is based
on destination and/or IP traffic type (such as TCP and UDP traffic) and traffic
counter options. Implementing the feature requires:
■
■
Using RADIUS to dynamically apply per-port ACLs to edge ports enables the
switch to filter IP traffic coming from outside the network, thus removing
unwanted IP traffic as soon as possible and helping to improve system
performance.
6-12
RADIUS authentication using the 802.1X, Web authentication, or MAC
authentication services available on the switch to provide client authen­
tication services
configuring the ACLs on the RADIUS server (instead of the switch), and
assigning each ACL to the username/password pair or MAC address of the
clients you want the ACLs to support