General Acl Features, Planning, And Configuration - ProCurve 2610 Manual

Notes
Included in any dynamic port ACL, there is an implicit deny in ip from any to any
("deny any any") command that results in a default action to deny any inbound
IP traffic that is not specifically permitted by the ACL. To override this default,
use an explicit permit in ip from any to any ("permit any any") as the last ACE in
the ACL.
On a given port, dynamic port ACL filtering occurs only for the traffic entering
the switch from the client whose authentication configuration on the server
includes a dynamic port ACL. Traffic entering the switch from another authen­
ticated client (on the same port) whose authentication configuration on the
server does not include a dynamic port ACL will not be filtered by an ACL
assigned to the port for any other authenticated client.
Multiple Clients Sharing the Same Dynamic Port ACL. When multiple
clients supported by the same RADIUS server use the same credentials, they
will all be serviced by different instances of the same ACL. (The actual IP
traffic inbound from any client on the switch carries a source MAC address
unique to that client. The dynamic port ACL uses this MAC address to identify
the traffic to be filtered.)
Multiple ACL Application Types on an Interface. The switch allows
simultaneous use of all supported ACL application types on an interface.

General ACL Features, Planning, and Configuration

These steps suggest a process for using dynamic port ACLs to establish access
policies for client IP traffic.
1. Determine the polices you want to enforce for authenticated client traffic
inbound on the switch.
2. Plan ACLs to execute traffic policies:
• Apply ACLs on a per-client basis where individual clients need differ­
ent traffic policies or where each client must have a different user-
name/password pair or will authenticate using MAC authentication.
• Apply ACLs on a client group basis where all clients in a given group
can use the same traffic policy and the same username/password pair.
3. Configure the ACLs on a RADIUS server accessible to the intended clients.
4. Configure the switch to use the desired RADIUS server and to support the
desired client authentication scheme. Options include 802.1X, Web
authentication, or MAC authentication. (Note that the switch supports the
option of simultaneously using 802.1X with either Web or MAC authenti­
cation.)
Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
6-13