General Steps; Determining Traffic Policies - HP ProCurve 6400cl Series Access Security Manual
Hide thumbs
Also See for ProCurve 6400cl Series:
- Management and configuration manual (508 pages) ,
- Installation and getting started manual (84 pages) ,
- Management manual (664 pages)
Table of Contents
Advertisement
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
It is important to remember that RADIUS-based ACLs include an implicit
"deny IP any any". That is, packets received inbound from an authenticated
client that the ACL does not explicitly permit or deny will be implicitly
denied, and therefore dropped instead of forwarded. If you want the port to
permit all inbound IP traffic (from the authenticated client) that the ACL does
not explicitly permit or deny, insert a permit in ip from any to any ("permit any
any") as the last explicit entry in the ACL.
Overriding the Implicit "deny IP any any". If you want an ACL to permit
any routed packets that are not explicitly denied by other entries in the ACL,
you can do so by configuring a permit any entry as the last entry in the ACL.
Doing so permits any packet not explicitly denied by earlier entries.
General Steps
These steps suggest a process for using ACLs to establish client access
policies. The topics following this section provide details.
1. Determine the polices you want to enforce for client traffic inbound on
the switch.
2. Plan ACLs to execute traffic policies:
•
Apply ACLs on a per-client basis where individual clients need differ
ent traffic policies or where each client must have a different user-
name/password pair or will authenticate using MAC authentication.
•
Apply ACLs on a client group basis where all clients in a given group
can use the same traffic policy and the same username/password pair.
3. Configure the ACLs on a RADIUS server accessible to the intended clients.
4. Configure the switch to use the desired RADIUS server and to support the
desired client authentication scheme. Options include 802.1X, Web
authentication, or MAC authentication. (Note that the switch supports the
option of simultaneously using 802.1X with either Web or MAC authenti
cation.)
5. Test client access on the network to ensure that your RADIUS-based ACL
application is properly enforcing your policies.
Determining Traffic Policies
This section assumes that the RADIUS server needed by a client for authenti
cation and ACL assignments is accessible from any switch that authorized
clients may use.
RADIUS Authentication and Accounting
6-33
Advertisement
Table of Contents
