Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
the same username/password pair. Where the client MAC address is the
selection criteria, only the client having that MAC address can use the corre-
sponding ACL. When a RADIUS server authenticates a client, it also assigns
the ACL configured with that client’s credentials to the port. The ACL then
filters the client’s inbound IP traffic and denies (drops) any such traffic that
is not explicitly permitted by the ACL. (Every ACL ends with an implicit deny
in ip from any to any (“deny any any”) ACE that denies IP traffic not specifically
permitted by the ACL.) When the client session ends, the switch removes the
RADIUS-assigned ACL from the client port.
Notes Included in any RADIUS-assigned ACL, there is an implicit deny in ip from any
to any (“deny any any”) command that results in a default action to deny any
inbound IP traffic that is not specifically permitted by the ACL. To override
this default, use an explicit permit in ip from any to any (“permit any any”) as the
last ACE in the ACL. This will only apply to the authenticated client; the default
ip deny any any applies to all other IPv4 traffic.
On a given port, RADIUS-assigned ACL filtering applies to all IPv4 traffic once
a client is authenticated.
Multiple Clients Sharing the Same RADIUS-Assigned ACL. When
multiple clients supported by the same RADIUS server use the same creden-
tials, they will all be serviced by different instances of the same ACL. (The
actual IP traffic inbound from any client on the switch carries a source MAC
address unique to that client. The RADIUS-assigned ACL uses this MAC
address to identify the traffic to be filtered.)
Multiple ACL Application Types on an Interface. The switch allows
simultaneous use of all supported ACL application types on an interface.
General ACL Features, Planning, and Configuration
These steps suggest a process for using RADIUS-assigned ACLs to establish
access policies for client IP traffic.
1. Determine the polices you want to enforce for authenticated client traffic
inbound on the switch.
2. Plan ACLs to execute traffic policies:
• Apply ACLs on a per-client basis where individual clients need differ-
ent traffic policies or where each client must have a different user-
name/password pair or will authenticate using MAC authentication.
• Apply ACLs on a client group basis where all clients in a given group
can use the same traffic policy and the same username/password pair.
6-15
