Using HPE VSA 63 to assign IPv6 and IPv4 ACLs (example)
The ACL VSA
HP-Nas-Rules-IPv6=1 is used in conjunction with the standard attribute (Nas-Filter-Rule) for ACL assignments filtering both IPv6 and IPv4 traffic inbound from an authenticated client. For example, to use these attributes to configure a RADIUS-assigned ACL on a FreeRADIUS server to filter both IPv6 and IPv4 ACLs, perform these steps:
Procedure
Enter the following in the FreeRADIUS
dictionary.hp file:
vendor-specific ID
ACL VSA for IPv6 ACLs (63)
HP-Nas-Rules-IPv6 VALUE setting to specify both IPv4 and IPv6 (1)
Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file.
For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file:
For a given client username/password pair, create an ACL by entering one or more IPv6 and IPv4 ACEs in the FreeRADIUS "users" file.
Remember that the ACL created to filter both IPv4 and IPv6 traffic automatically includes an implicit deny in ip from any to any ACE at the end of the ACL in order to drop any IPv4 and IPv6 traffic that is not explicitly permitted or denied by the ACL. For example, to create ACL support for a client having a username of "Admin01" and a password of "myAuth9".
The ACL in this example must achieve the following:
Permit http (TCP port 80) traffic from the client to the device at FE80::a40.
Deny http (TCP port 80) traffic from the client to all other IPv6 addresses.
Permit http (TCP port 80) traffic from the client to the device at 10.10.10.117.
Deny http (TCP port 80) traffic from the client to all other IPv4 addresses.
Deny Telnet (TCP port 23) traffic from the client to any IPv4 or IPv6 addresses.
Permit all other IPv4 and IPv6 traffic from the client to all other devices.
To configure the above ACL, enter the username/password and ACE information, as shown in this example: