Displaying the current RADIUS-assigned ACL activity on the switch
These commands output data indicating the current ACL activity imposed per-port by RADIUS server responses to client authentication.
Syntax:
show access-list radius < port-list >
Whether the ACL for the indicated client is configured to filter IPv4 traffic only, or both IPv4 and IPv6 traffic. See Nas-filter-rule options for more on this topic.
The explicit ACEs, switch port, and client MAC address for each ACL dynamically assigned by a RADIUS server as a response to client authentication.
If
cnt
(counter) is included in an ACE, then the output includes the current number of inbound packet matches the switch has detected in the current session for that ACE, see
ACE syntax in RADIUS servers.
If there are no ACLs currently assigned to any port in
<port-list>
, executing this command returns only the system prompt. If a client authenticates but the server does not return a RADIUS-assigned ACL to the client port, then the server does not have a valid ACL configured and assigned to that client's authentication credentials.
Example:
The following output shows that a RADIUS server has assigned an ACL to port B1 to filter inbound traffic from an authenticated client identified by a MAC address of 00-17-A4-E6-D7-87.
Syntax:
show port-access {<web-based | mac-based | authenticator>} clients < port-list > detailed
For ports in
<port-list>
configured for authentication, this command shows the details of the RADIUS-assigned features listed below that are active as the result of a client authentication. (Ports in
<port-list>
that are not configured for authentication are not listed.)
Client Base Details:
- Port
Port number of port configured for authentication.
- Session Status
Indicates whether there is an authenticated client session active on the port. Options include
authenticated
andunauthenticated
.- Username
During an authenticated session, shows the user name of the authenticated client. If the client is not authenticated, this field is empty.
- IP
Shows the authenticated client's IP address, if available. Requires DHCP snooping enabled on the switch. When "n/a" appears in the field, the switch has not been able to acquire the client's IP address. Note: Where the client IP address is available to the switch, it can take a minute or longer for the switch to learn the address. For more on this topic, see Configuring RADIUS accounting.
- Session Time (sec)
For an unauthenticated session, indicates the elapsed time in seconds since the client was detected on the port. For an authenticated session, this indicates the elapsed time in seconds since the client was authenticated on the port.
- MAC Address
During an authenticated session, shows the MAC address of the authenticated client.
Access Policy Details:
- COS Map
Indicates the 802.1p priority assigned by the RADIUS server for traffic inbound on the port from an authenticated client. The field shows an eight-digit value where all digits show the same assigned 802.1p number. For example, if the assigned 802.1p value is 5, then this field shows
55555555
. If an 802.1p priority has not been assigned by the RADIUS server, this field showsNot Defined
.Untagged VLAN
VLAN ID (VID) of the untagged VLAN currently supporting the authenticated connection.
- Tagged VLANs
VLAN IDs (VIDs) of any tagged VLANs currently supporting the authenticated connection.
- RADIUS ACL List
Lists the explicit ACEs in the ACL assigned to the port for the authenticated client. Includes the ACE "Hit Count" (matches) for ACEs configured with the
cnt
option, see ACE syntax in RADIUS servers. If a RADIUS ACL for the authenticated client is not assigned to the port,No Radius ACL List
appears in this field.- In Limit Kbps
Indicates the ingress rate-limit assigned by the RADIUS server to the port for traffic inbound from the authenticated client. If there is no ingress rate-limit assigned, then
Not Set
appears in this field.- Out Limit Kbps
Indicates the egress rate-limit assigned by the RADIUS server to the port for traffic outbound to the authenticated client. If there is no egress rate-limit assigned, then
Not Set
appears in this field.
Output showing current RADIUS-applied features
switch(config)# show port-access web-based clients 10 detailed Port Access Web-Based Client Status Detailed Client Base Details : Port : 9 Session Status : authenticated Session Time(sec) : 5 Username : acluser1 MAC Address : 0017a4-e6d787 IP : n/a Access Policy Details : COS Map : 77777777 In Limit Kbps : 1000 Untagged VLAN : 10 Out Limit Kbps : Not Set Tagged VLANs : 20 RADIUS-ACL List : deny in 23 from any to 10.0.8.1/24 23 CNT Hit Count: 1 permit in 1 from any to 10.0.10.1/24 CNT Hit Count: 112 deny in udp from any to any 67-68 CNT Hit Count: 7 permit in ip from any to any CNT Hit Count: 125
IPv4 ICMP |
IPv6 ICMP |
||
---|---|---|---|
# |
Keyword |
# |
Keyword |
0 |
echo reply |
1 |
destination unreachable |
3 |
destination unreachable |
2 |
packet too big |
4 |
source quench |
3 |
time exceeded |
5 |
redirect |
4 |
parameter problem |
8 |
echo request |
128 |
echo request |
9 |
router advertisement |
129 |
echo reply |
10 |
router solicitation |
130 |
multicast listener query |
11 |
time-to-live exceeded |
131 |
multicast listener reply |
12 |
IP header bad |
132 |
multicast listener done |
13 |
timestamp request |
133 |
router solicitation |
14 |
timestamp reply |
134 |
router advertisement |
15 |
information request |
135 |
neighbor solicitation |
16 |
information reply |
136 |
neighbor advertisement |
17 |
address mask request |
137 |
redirect message |
18 |
address mask reply |
138 |
router renumbering |
139 |
icmp node information query |
||
140 |
icmp node information response |
||
141 |
inverse neighbor discovery solicitation message |
||
142 |
inverse neighbor discovery advertisement message |
||
143 |
version 2 multicast listener report |
||
144 |
home agent address discovery request message |
||
145 |
home agent address discovery reply message |
||
146 |
mobile prefix solicitation |
||
147 |
mobile prefix advertisement |
||
148 |
certification path solicitation message |
||
149 |
certification path advertisement message |
||
151 |
multicast router advertisement |
||
152 |
multicast router solicitation |
||
153 |
multicast router termination |