This example uses the VSA attribute 61 for configuring
RADIUS-assigned IPv4 ACL support on FreeRADIUS for two different client
identification methods (username/password and MAC address).
Procedure
Enter the vendor-specific
ID and the ACL VSA in the FreeRADIUS dictionary file:
Enter the switch IPv4 address,
NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file.
For example, if the switch IP address is 10.10.10.125 and the key
("secret") is "1234", you would enter the following
in the server's clients.conf file:
For a given client username/password
pair, create an ACL by entering one or more IPv4 ACEs in the FreeRADIUS
"users" file. Remember that the ACL created to filter IPv4
traffic automatically includes an implicit deny in ip from
any to any ACE (for IPv4). For example, to create ACL support
for a client having a username of "User-10" and a password
of "auth7X". The ACL in this example must achieve the following:
Permit http (TCP port 80) traffic from the client
to the device at 10.10.10.117.
Deny http (TCP port 80) traffic from the client to
all other IPv4 addresses.
Deny Telnet (TCP port 23) traffic from the client
to any IPv4 address.
Permit all other IPv4 traffic from the client to all
other devices.