How A Radius Server Applies A Dynamic Port Acl; To A Switch Port - ProCurve 2610 Manual
2610 / 2610-pwr series
Hide thumbs
Also See for 2610:
- Installation and getting started manual (114 pages) ,
- Management and configuration manual (464 pages)
Table of Contents
Advertisement
Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
Dynamic Port ACLs
Requires client authentication by a RADIUS server
configured to dynamically assign an ACL to the client port,
based on client credentials.
ACEs allow a counter (cnt) option that causes a counter to ACEs allow a log option that generates a log message
increment when there is a packet match.
Caution Regarding
the Use of Source
Routing
6-12
Source routing is enabled by default on the switch and can be used to override
ACLs. For this reason, if you are using ACLs to enhance network security, the
recommended action is to use the no ip source-route command to disable
source routing on the switch. (If source routing is disabled in the running
config file, the show running command includes "no ip source-route" in the
running-config file listing.)
How a RADIUS Server Applies a Dynamic Port ACL
to a Switch Port
A dynamic port ACL configured on a RADIUS server is identified and invoked
by the unique credentials (username/password pair or a client MAC address)
of the specific client the ACL is designed to service. Where the username/
password pair is the selection criteria, the corresponding ACL can also be used
for a group of clients that all require the same ACL policy and use the same
username/password pair. Where the client MAC address is the selection
criteria, only the client having that MAC address can use the corresponding
ACL. When a RADIUS server authenticates a client, it also assigns the ACL
configured with that client's credentials to the port. The ACL then filters the
client's inbound IP traffic and denies (drops) any such traffic that is not
explicitly permitted by the ACL. (Every ACL ends with an implicit deny in ip
from any to any ("deny any any") ACE that denies IP traffic not specifically
permitted by the ACL.) When the client session ends, the switch removes the
dynamic port ACL from the client port.
Static Port ACLs
No client authentication requirement.
whenever there is a packet match with a "deny" ACE.
Hide quick links:
Advertisement
Table of Contents
Need help?
Do you have a question about the 2610 and is the answer not in the manual?
Questions and answers