Operating Rules For Radius-Based Acls - HP ProCurve 6400cl Series Access Security Manual
Hide thumbs
Also See for ProCurve 6400cl Series:
- Management and configuration manual (508 pages) ,
- Installation and getting started manual (84 pages) ,
- Management manual (664 pages)
Table of Contents
Advertisement
RADIUS Authentication and Accounting
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
Item
Maximum Number of
Authenticated Sessions
Per-Port Using RADIUS-
based ACLs
Maximum Number of
(internal) ACEs Per-Port,
and Maximum Number of
(internal) ACEs Per-ACL
6-36
Operating Rules for RADIUS-Based ACLs
Relating a Client to a RADIUS-Based ACL: A RADIUS-based ACL
■
for a particular client must be configured in the RADIUS server under
the authentication credentials the server should expect for that client.
(If the client must authenticate using 802.1X and/or Web Authentica
tion, the username/password pair forms the credential set. If authen
tication is through MAC Authentication, then the client MAC address
forms the credential set.) For more on this topic, refer to "Configuring
an ACL in a RADIUS Server" on page 6-38.
Multiple Clients Using the Same Username/Password Pair:
■
Multiple clients using the same username\password pair will use
duplicate instances of the same ACL.
Limits for RADIUS-Based ACLs, Associated ACEs, and
■
Counters:
The table below describes limits the switch supports in ACLs applied by
a RADIUS server. Exceeding a limit causes the related client authentica
tion to fail.
Table 6-3.
Limits Affecting RADIUS-Based ACL Applications
Limit Notes
2
A port supports a maximum of two ACLs (or two instances of the same ACL) on
a given port at the same time. This rule does not affect the number of authenti-
cated clients a port supports (32); only the number of authenticated clients using
RADIUS-based ACLs. If two authenticated clients are already using RADIUS-
based ACLs on a port and a third client on the same port attempts to authenticate
with a RADIUS server account that includes an ACL assignment, the attempt will
fail.
30
Depending on how a RADIUS-assigned ACE is formed, it can consume multiple
internal ACEs. A RADIUS-assigned ACE that does not specify TCP or UDP port
numbers uses one internal ACE. However, an ACE that includes TCP or UDP port
numbers uses one or more internal ACE resources, depending on the port number
groupings. A single TCP or UDP port number or a series of contiguous port
numbers comprise one group. For example, "80" and "137-146" each form one
group. "135, 137-140, 143" in a given ACE form three groups. The following ACE
examples illustrate how the switch applies internal ACE usage.
Examples of Single and Multiple (Internal) ACEs Per-Port
deny in ip from any to any
deny in tcp from any to any
deny in tcp from any to any 80
permit in tcp from any to any 135, 137-146, 445
permit in tcp from any to any 135-137, 139, 141, 143, 146, 445
permit in tcp from any to any 135-146, 445
Internal
ACEs
1
1
1
3
6
2
Advertisement
Table of Contents
