RADIUS client and server requirements
-
Clients can be dual-stack, IPv4-only or IPv6 only.
-
Client authentication can be through 802.1X, MAC authentication, or web-based authentication. (clients using web-based authentication must be IPv4-capable.)
-
Server must support IPv4 and have an IPv4 address.
The following information provides an overview about RADIUS services supported on a switch, including CoS (802.1p priority), ingress and egress rate-limiting, and ACL client services on a RADIUS server. For information on configuring client authentication capability on the switch, see RADIUS Authentication, Authorization, and Accounting.
When no
allow-v2-modules
is specified in the configuration of a switch with V3 modules on KB firmware, Egress VLAN ACLs do not filter mirrored traffic. You must use a port ACL to filter mirrored traffic.
Service |
Application |
Standard RADIUS attribute |
HP vendor-specific RADIUS attribute (VSA) |
---|---|---|---|
Cos (Priority) |
per-user |
59 |
40 |
Ingress Rate-Limiting |
per-user |
— |
46 |
Egress Rate-Limiting |
per-port1 |
— |
48 |
ACLs | |||
IPv6 and IPv4 ACEs(NAS-Filter-Rule) |
per-user |
92 |
61 |
NAS-Rules-IPv6 (sets IP mode to IPv4-only or IPv4 and IPv6) |
per-user |
— |
63 |
If multiple clients are authenticated on a port where per-port rules are assigned by a RADIUS server, then the most recently assigned rule is applied to the traffic of all clients authenticated on the port.
Hewlett Packard Enterprise recommends using the Standard RADIUS attribute if available. Where both a standard attribute and a VSA are available, the VSA is maintained for backwards compatibility with configurations based on earlier software releases.