RADIUS services supported on HPE switches

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service. RADIUS is the transport for AAA services. The services can include the user profiles including storing user credentials, user access policies, and user activity statistics which can reside on the same server. Gateway devices that control network access, such as remote access servers, VPN servers, and network switches, can use the RADIUS protocol to communicate with a RADIUS server for:

  • Authentication — verifying user credentials regarding granted access to their networks.

  • Authorization — verifying user access policy on how much and what kind of resources are allowed for an authenticated user.

  • Accounting — keeping statistic information about the user activities for accounting purpose.

RADIUS client and server requirements

  • Clients can be dual-stack, IPv4-only or IPv6 only.

  • Client authentication can be through 802.1X, MAC authentication, or web-based authentication. (clients using web-based authentication must be IPv4-capable.)

  • Server must support IPv4 and have an IPv4 address.

The following information provides an overview about RADIUS services supported on a switch, including CoS (802.1p priority), ingress and egress rate-limiting, and ACL client services on a RADIUS server. For information on configuring client authentication capability on the switch, see RADIUS Authentication, Authorization, and Accounting.


[NOTE: ]

NOTE: When no allow-v2-modules is specified in the configuration of a switch with V3 modules on KB firmware, Egress VLAN ACLs do not filter mirrored traffic. You must use a port ACL to filter mirrored traffic.


RADIUS services supported on the switch

Service Application Standard RADIUS attribute[a] HP vendor-specific RADIUS attribute (VSA)
Cos (Priority) per-user 59 40
Ingress Rate-Limiting per-user 46
Egress Rate-Limiting per-port2[b] 48
ACLs
IPv6 and IPv4 ACEs(NAS-Filter-Rule) per-user 92 61
NAS-Rules-IPv6 (sets IP mode to IPv4-only or IPv4 and IPv6) per-user 63

[a] Hewlett Packard Enterprise recommends using the Standard RADIUS attribute if available. Where both a standard attribute and a VSA are available, the VSA is maintained for backwards compatibility with configurations based on earlier software releases.

[b] If multiple clients are authenticated on a port where per-port rules are assigned by a RADIUS server, then the most recently assigned rule is applied to the traffic of all clients authenticated on the port.

RADIUS server support

Optional HPE PCM and IDM network management applications

All RADIUS-based services described here can be used without PCM+ or PMC IDM (Identity-Driven Management) support, if desired. For information on these services in the PCM+ application using the IDM plug-in, see the documentation for these applications on the HPE Support web site.

RADIUS server configuration for CoS (802.1p priority) and rate-limiting

The following information provides general guidelines for configuring RADIUS servers, so that the features listed in CoS and rate-limiting services can be dynamically applied on ports that support authenticated clients.

CoS and rate-limiting services

Service Control method and operating notes
802.1p

Assigns a RADIUS-configured 802.1p priority to the inbound packets received from a specific client authenticated on a switch port.


[NOTE: ]

NOTE: Beginning with software release K.14.01, this attribute is assigned per-authenticated-user instead of per-port.


Standard Attribute used in the RADIUS server: 59 (This is the preferred attribute for new or updated configurations.)

Vendor-Specific Attribute used in the RADIUS server.

(This attribute is maintained for legacy configurations.)

HP vendor-specific ID:11

VSA: 40

Setting: User-Priority-Table=xxxxxxxx where: x=desired 802.1p priority

Note: This is an eight-digit field. Enter the same x-value for all eight digits.

Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch.

For more on 802.1p priority levels, see "Quality of Service (QoS)" in the advanced traffic management guide for your switch.

Ingress (inbound) rate-limiting per-user

Assigns a RADIUS-configured bandwidth limit to the inbound packets received from a specific client authenticated on a port.


[NOTE: ]

NOTE: Beginning with software release K.14.01, this attribute is assigned per-authenticated-user instead of per-port. To assign a per-port inbound rate limit, use the rate-limit all in CLI command instead of this option.


Vendor-Specific Attribute used in the RADIUS server.

HP vendor-specific ID:11

VSA: 46

Setting: HP-Bandwidth-Max-Egress=<bandwidth-in-Kbps>

Note: RADIUS-assigned rate-limit bandwidths must be specified in Kbps. (Bandwidth percentage settings are not supported.) Using a VSA on a RADIUS server to specify a per-user rate-limit requires the actual Kbps to which you want to limit ingress (inbound) traffic volume. For example, to limit inbound traffic on a gigabit port to half of the port's bandwidth capacity requires a VSA setting of 500,000 Kbps.

Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch.

The actual bandwidth available for ingress traffic from an authenticated client can be affected by the total bandwidth available on the client port. See Per-port bandwidth override.

Egress (outbound) rate-limiting per-port

Assigns a RADIUS-configured bandwidth limit to the outbound traffic sent to a switch port.

Vendor-Specific Attribute used in the RADIUS server.

HP vendor-specific ID:11

VSA: 48 (string=HP)

Setting: HP-RATE-LIMIT=<bandwidth-in-Kbps>

Note: RADIUS-assigned rate-limit bandwidths must be specified in Kbps. (Bandwidth percentage settings are not supported.) Using a VSA on a RADIUS server to specify a per-port rate-limit requires the actual Kbps to which you want to limit outbound traffic volume. For example, to limit outbound traffic on a gigabit port to half of the port's bandwidth capacity requires a VSA setting of 500,000 Kbps.

In instances where multiple, authenticated clients are using this feature on the same switch port, only one (per-port) rate limit is applied. In this case, the actual rate used is the rate assigned by the RADIUS server to the most recently authenticated client. This rate remains in effect as long as any authenticated client remains connected on the port.

Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch.

The actual bandwidth available for egress traffic from an authenticated client can be affected by the total bandwidth available on the client port. See Per-port bandwidth override.

To configure support for the services listed in CoS and rate-limiting services on a specific RADIUS server application, see the documentation provided with the RADIUS application.

Applied rates for RADIUS-assigned rate limits

Rate limits are applied incrementally on the switches, as determined by the RADIUS-applied rate. For any given bandwidth assignment, the switch applies the nearest rate increment that does not exceed the assigned value. The increments are in graduated steps, as described in RADIUS-assigned rate-limit increments.

RADIUS-assigned rate-limit increments

RADIUS-assigned

bits-per-second rate limit

Applied rate-limiting increment
1 - 10,999,999 100 Kbps
11,000,000 - 100,999,999 1 Mbps
101,000,000 - 999,999,999 10 Mbps
1,000,000,000 - 10 Gbps 100 Mbps

For example, some of the following RADIUS-assigned rates fall between their respective incremental values, resulting in applied rates lower than the RADIUS-assigned rates. However, others match their respective incremental values, resulting in no difference between the RADIUS-assigned rate limits and the applied rate limits.

Assigned and applied rate limits example

RADIUS-assigned bandwidth (Kbps) Applied increments Applied rate limit (Kbps) Difference/Kbps
5,250 100 Kbps 5,200 50
50,250 1 Mbps 50,000 250 Kbps
51,000 1 Mbps 51,000 0
525,000 10 Mbps 520,000 5,000 Kbps
530,000 10 Mbps 530,000 0
1,250,000 100 Mbps 1,200,000 50,000 Kbps
1,300,000 100 Mbps 1,300,000 0

Per-port bandwidth override

Hewlett Packard Enterprise recommends that rate-limiting be configured either solely through RADIUS assignments or solely through static CLI configuration on the switch unless the potential for the override described below is specifically desired.

Ingress (inbound) traffic

Beginning with software release K.14.01, RADIUS-assigned ingress rate-limits are applied to individual clients instead of to the client's port. But if you use the CLI to configure a per-port ingress rate-limit on the same port where an authenticated client receives a RADIUS-assigned ingress rate-limit, the client's assigned ingress limit can be reduced by the CLI-configured port ingress limit. This occurs if the port reaches its CLI-configured rate-limit maximum before the client reaches its RADIUS-assigned rate-limit maximum, thus denying the client its intended maximum.

Egress (outbound) traffic

The most recent RADIUS-assigned egress rate-limit specifies the maximum egress rate-limit for a port, even if the CLI has also been used to configure an egress rate limit on the port.

Rate-limit assignment method Rate-limit actions and restrictions
Inbound

CLI ingress rate-limit per-port

rate-limit all in

Determines the maximum ingress bandwidth available on the port, regardless of any RADIUS-assigned per-client rate-limits dynamically assigned to the same port.

RADIUS ingress rate-limit per-client

VSA 46

Each client is allowed the inbound bandwidth individually assigned to it by the RADIUS server, up to the port's physical capacity, unless the available bandwidth on the port has been reduced by a CLI-assigned per-port bandwidth limit.
Outbound

CLI egress rate-limit per-port

rate-limit all out

Determines the maximum egress bandwidth available on the port, unless there is also a RADIUS-assigned per-port rate limit on the port.

RADIUS egress rate-limit per client

VSA 48

The most recent client to authenticate determines the maximum egress bandwidth on the port for all outbound traffic, regardless of any CLI-assigned per-port outbound rate-limit.

For example, suppose the CLI is used to configure a gigabit port to have an ingress rate limit of 500,000 Kbps (50% of available bandwidth), and is receiving 450,000 Kbps of traffic from existing clients. If a RADIUS server then authenticates a new client with an ingress rate-limit of 100,000 Kbps, the maximum ingress rate limit actually available for the new client is 50,000 Kbps as long as the bandwidth usage by the other clients already on the port remains at 450,000 Kbps.

For more on static rate-limiting, see "Rate-Limiting" in the "Port Traffic Controls" in the management and configuration guide for your switch.

Configuring and using dynamic (RADIUS-assigned) access control lists

A RADIUS-assigned ACL is configured on a RADIUS server and dynamically assigned by the server to filter IP traffic from a specific client after the client is authenticated by the server.

The information in this section describes how to apply RADIUS-assigned ACLs on the switch, and assumes a general understanding of ACL structure and operation. If you need information on ACL filtering criteria, design, and operation, see the following:

Overview of RADIUS-assigned, dynamic ACLs

RADIUS-assigned ACLs enhance network and switch management access security and traffic control by permitting or denying authenticated client access to specific network resources and to the switch management interface. This includes preventing clients from using TCP or UDP applications, ICMP packet types, and IGMP (IPv4 only) if you do not want their access privileges to include these capabilities.

Traffic applications

Beginning with software release K.14.01, the switch supports RADIUS-assigned ACLs for the following traffic applications:

  • Inbound IPv4 traffic only

  • Inbound IPv4 and IPv6 traffic

This feature is designed for use on the network edge to accept RADIUS-assigned ACLs for Layer-3 filtering of IP traffic entering the switch from authenticated clients. A given RADIUS-assigned ACL is identified by a unique user name/password pair or client MAC address, and applies only to IP traffic entering the switch from clients that authenticate with the required, unique credentials. The switch allows multiple RADIUS-assigned ACLs on a given port, up to the maximum number of authenticated clients allowed on the port. Also, a RADIUS-assigned ACL for a given client's traffic can be assigned regardless of whether other ACLs assigned to the same port are statically configured on the switch.

A RADIUS-assigned ACL filters IP traffic entering the switch from the client whose authentication caused the ACL assignment. Filter criteria is based on:

  • Destination address

  • IPv4 or IPv6 traffic type, such as TCP and UDP traffic

Implementing the feature requires:

  • RADIUS authentication using the 802.1X, web-based authentication, or MAC authentication available on the switch to provide client authentication services

  • Configuring one or more ACLs on a RADIUS server instead of the switch, and assigning each ACL to the user name/password pair or MAC address of the clients you want the ACLs to support

Using RADIUS to dynamically apply ACLs to clients on edge ports enables the switch to filter IP traffic coming from outside the network, thus removing unwanted IP traffic as soon as possible and helping to improve system performance. Also, applying RADIUS-assigned ACLs to the network edge is likely to be less complex than configuring static port and VLAN-based ACLs in the network core to filter unwanted IP traffic that could have been filtered at the edge.


[NOTE: ]

NOTE: A RADIUS-assigned ACL filters inbound IP traffic on a given port from the client whose authentication triggered the ACL assignment to the port.

A RADIUS-assigned ACL can be applied regardless of whether IP traffic on the port is already being filtered by other, static ACLs that are already assigned. Simultaneous ACL activity supported per-port lists the supported per-port ACL assignment capacity.

ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete edge security solution.

Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as AppleTalk and IPX.


Simultaneous ACL activity supported per-port[1]

ACL type Function IPv4 IPv6
VACL Static ACL assignment to filter inbound IP traffic on a specific VLAN. 1 1
Port ACL Static ACL assignment to filter inbound IP traffic on a specific port. 1 1
RADIUS-assigned ACL Dynamic ACL assignment to filter inbound IP traffic from a specific client on a given port. 1-32[a] 1-32[a]
RACL (IPv4 only) static ACL assignment to filter routed IPv4 traffic entering or leaving the switch on a specific VLAN 1 in 1 out n/a
Connection-Rate ACL Static ACL assignment for virus-throttling on a specific port, see Virus throttling (connection-rate filtering). 1 n/a

[a] One per authenticated client, up to a maximum of 32 clients per-port for 802.1X, web-based authentication, and MAC-Authentication methods combined.

ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete edge security solution.

Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as AppleTalk and IPX.

Contrasting RADIUS-assigned and static ACLs

Contrasting dynamic (RADIUS-assigned) and static ACLs highlights several key differences between the static ACLs configurable on switch VLANs and ports, and the dynamic ACLs that can be assigned by a RADIUS server to filter IP traffic from individual clients.

Contrasting dynamic (RADIUS-assigned) and static ACLs

RADIUS-assigned ACLs Static port and VLAN ACLs
Configured in client accounts on a RADIUS server. Configured on switch ports and VLANs.
Designed for use on the edge of the network where filtering of IP traffic entering the switch from individual, authenticated clients is most important and where clients with differing access requirements are likely to use the same port. Designed for use where the filtering needs focus on static configurations covering:
  • switched IP traffic entering from multiple authenticated or unauthenticated sources (VACLs or static port ACLs)

  • routed IPv4 traffic (RACLs)

  • IP traffic from multiple sources and having a destination on the switch itself

Implementation requires client authentication. Client authentication not a factor.
Identified by the credentials (user name/password pair or the MAC address) of the specific client the ACL is intended to service. Identified by a number in the range of 1-199 or an alphanumeric name.
Supports dynamic assignment to filter only the IP traffic entering the switch from an authenticated client on the port to which the client is connected. (IPv6 traffic can be switched; IPv4 traffic can be routed or switched. For either IP traffic family, includes traffic having a DA on the switch itself.) Supports static assignments to filter:
  • switched IPv6 traffic entering the switch

  • switched or routed IPv4 traffic entering the switch, or routed IPv4 traffic leaving the switch.

When the authenticated client session ends, the switch removes the RADIUS-assigned ACL from the client port. Remains statically assigned to the port or VLAN.

Allows one RADIUS-assigned ACL per authenticated client on a port. (Each such ACL filters traffic from a different, authenticated client.)


[NOTE: ]

NOTE: The switch provides ample resources for supporting RADIUS-assigned ACLs and other features. However, the actual number of ACLs supported depends on the switch current feature configuration and the related resource requirements. For more information, see the appendix titled "Monitoring Resources" in the management and configuration guide for your switch.


Simultaneously supports all of the following static assignments affecting a given port:
  • IPv4 traffic:

    • inbound RACL

    • outbound RACL

    • VACL

    • static port ACL

  • IPv6 traffic:

    • VACL

    • static port ACL

Supports IPv6 ACLs and IPv4 extended ACLs. “IPv6 Access Control Lists (ACLs)” in the IPv6 configuration guide for your switch. Supports IPv6 ACLs and standard, extended, and connection-rate IPv4 ACLs, see Applying connection-rate ACLs.
A given RADIUS-assigned ACL operates on a port to filter only the IP traffic entering the switch from the authenticated client corresponding to that ACL, and does not filter IP traffic inbound from other authenticated clients. (The traffic source is not a configurable setting.)

An RACL applied to inbound traffic on a VLAN filters routed IPv4 traffic entering the switch through a port on that VLAN, as well as any inbound traffic having a DA on the switch itself. An RACL can be applied to outbound IPv4 traffic on a VLAN to filters routed IPv4 traffic leaving the switch through a port on that VLAN (and includes routed IPv4 traffic generated by the switch itself).

A VACL can be applied on a VLAN to filter either IPv4 or IPv6 traffic entering the switch through a port on that VLAN.

A static port ACL can be applied on a port to filters either IPv4 or IPv6 traffic entering the switch through that port.

Requires client authentication by a RADIUS server configured to dynamically assign an ACL to a client on a switch port, based on client credentials. No client authentication requirement.
ACEs allow a counter (cnt) option that causes a counter to increment when there is a packet match.

Beginning with software release K.14.01, the show statistics command includes options for displaying the packet match count, see Monitoring static ACL performance.

Also, ACEs allow a log option that generates a log message whenever there is a packet match with a "deny" ACE.


[CAUTION: ]

CAUTION: Regarding the Use of IPv4 Source Routing:

IPv4 source routing is enabled by default on the switch and can be used to override IPv4 ACLs. For this reason, if you are using IPv4 ACLs to enhance network security, the recommended action is to use the no ip source-route command to disable source routing on the switch. (If source routing is disabled in the running-config file, the show running command includes "no ip source-route" in the running-config file listing.)


How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port

A RADIUS-assigned ACL configured on a RADIUS server is identified and invoked by the unique credentials (user name/password pair or a client MAC address) of the specific client the ACL is intended to service. Where the user name/password pair is the selection criteria, the corresponding ACL can also be used for a group of clients that all require the same ACL policy and use the same user name/password pair. Where the client MAC address is the selection criteria, only the client having that MAC address can use the corresponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured with that client's credentials to the client's port. The ACL then filters the client's inbound IP traffic and denies (drops) any such traffic that is not explicitly permitted by the ACL.

  • If the filter rule used for a RADIUS-based ACL is one of the options that specifies only IPv4 traffic, then the ACL implicitly denies any inbound IPv6 traffic from the authenticated client.

  • If the filter rule used for a RADIUS-based ACL is the option for specifying both IPv4 and IPv6 traffic, then the ACL filter both IP traffic types according to the ACEs included in the RADIUS-assigned ACL.

When the client session ends, the switch removes the RADIUS-assigned ACL from the client port.


[NOTE: ]

NOTE:

Implicit Deny

Every RADIUS-assigned ACL ends with an implicit deny inACE for both IPv4 and IPv6 traffic. This implicit ACE denies any IP traffic that is not specifically permitted. To override this default, configure an explicit permit in ip from any to any as the ACL's last explicit ACE.

Multiple clients in a RADIUS-assigned ACL environment

Where multiple clients are authenticated on the same port, if any of the clients has a RADIUS-assigned ACL, then all of the authenticated clients on the port must have a RADIUS-assigned ACL. In this case, the switch drops the IP traffic from any authenticated client that does not have a RADIUS-assigned ACL, and deauthenticates that client.


Multiple clients sharing the same RADIUS-assigned ACL

When multiple clients supported by the same RADIUS server use the same credentials, they are all serviced by different instances of the same ACL. (The actual IP traffic inbound from any client on the switch carries a source MAC address unique to that client. The RADIUS-assigned ACL uses this MAC address to identify the traffic to be filtered.)

Effect of multiple ACL application types on an interface

The switch allows simultaneous use of all supported ACL application types on an interface. Thus, a static ACL assigned to an interface filters authenticated client traffic, regardless of whether a RADIUS-assigned ACL is also filtering the client's traffic. For more information, see Multiple ACLs on an interface.

General ACL features, planning, and configuration

These steps suggest a process for using RADIUS-assigned ACLs to establish access policies for client IP traffic.

  1. Determine the polices you want to enforce for authenticated client traffic inbound on the switch.

  2. Plan ACLs to execute traffic policies:

    • Apply ACLs on a per-client basis where individual clients need different traffic policies or where each client must have a different user name/password pair or will authenticate using MAC authentication.

    • Apply ACLs on a client group basis where all clients in a given group can use the same traffic policy and the same user name/password pair.

  3. Configure the ACLs on a RADIUS server accessible to the intended clients.

  4. Configure the switch to use the desired RADIUS server and to support the desired client authentication scheme. Options include 802.1X, web-based authentication, or MAC authentication. (Note that the switch supports the option of simultaneously using 802.1X with either web-based or MAC authentication.)

  5. Test client access on the network to ensure that your RADIUS-assigned ACL application is properly enforcing your policies.

For further information common to all IPv4 or IPv6 ACL applications, see the IPv4 configuration guide or IPv6 configuration guide for your switch.

The packet-filtering process

Packet-filtering in an applied ACL is sequential, from the first ACE in the ACL to the implicit deny any any following the last explicit ACE. This operation is the same regardless of whether the ACL is applied dynamically from a RADIUS server or statically in the switch configuration.


[CAUTION: ]

CAUTION: ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.



[NOTE: ]

NOTE: If a RADIUS-assigned ACL permits an authenticated client's inbound IP packet, but the client port is also configured with a static port ACL and belongs to a VLAN for which there is an inbound, VLAN-based ACL configured on the switch, then the packet is also filtered by these other ACLs. If there is a match with a deny ACE in any of these ACLs, the switch drops the packet.


Operating rules for RADIUS-assigned ACLs

  • Relating a client to a RADIUS-assigned ACL

    A RADIUS-assigned ACL for a particular client must be configured in the RADIUS server under the authentication credentials the server should expect for that client. If the client must authenticate using 802.1X and web-based authentication, the user name/password pair forms the credential set. If authentication is through MAC Authentication, then the client MAC address forms the credential set. See Configuring an ACL in a RADIUS server.

  • Multiple clients using the same user name/password pair

    Multiple clients using the same user name/password pair uses duplicate instances of the same ACL.

  • Limits for ACEs in RADIUS-assigned ACLs

    The switch supports up to 80 characters in a single ACE. Exceeding this limit causes the related client authentication to fail.

  • Effect of other, statically configured ACLs

    Suppose that port B1 belongs to VLAN "Y" and has a RADIUS-assigned ACL to filter inbound traffic from an authenticated client. Port B1 is also configured with IPv4 and IPv6 static port ACLs, and VLAN "Y" is statically configured with IPv4 and IPv6 VACLs.

    • IP traffic entering the switch on port B1 from the client and having a match with a deny ACE configured in any of the ACLs mentioned above is dropped.

    • If an inbound RACL was also configured on VLAN "Y", then a deny match in the RACL would apply to any inbound, routed IPv4 traffic from the client (and to any inbound, switched traffic having a destination on the switch itself).

    • If an outbound RACL was also configured on VLAN "Y", then any outbound, routed IPv4 traffic leaving the switch through the port B1 would be filtered by the outbound RACL.

Configuring an ACL in a RADIUS server

The following information provides general guidelines for configuring a RADIUS server to specify RADIUS-assigned ACLs. It also provides an example configuration for a FreeRADIUS server application. To configure services on a specific RADIUS server application, see the documentation provided with that application.


[NOTE: ]

NOTE: This application requires a RADIUS server having an IPv4 address. Clients can be dual-stack, IPv4-only or IPv6-only.


A RADIUS-assigned ACL configuration in a RADIUS server includes the following elements:

  • Nas-Filter-Rule attributes — standard and vendor-specific

  • ACL configuration, entered in the server, and associated with specific user name/password or MAC address criteria, and comprised of ACEs entered in the server

A RADIUS-assigned ACL includes:

  • One or more explicit permit and deny ACEs

  • An implicit deny in ip from any to any ACE automatically applied after the last operator-created ACE

Nas-Filter-Rule-Options

Nas-Filter-Rule Attribute Options

Service Control method and operating notes

ACLs Applied to Client Traffic Inbound to the Switch

Assigns a RADIUS-configured ACL to filter inbound packets received from a specific client authenticated on a switch port.

Standard Attribute: 92

Beginning with software release K.14.01, this is the preferred attribute for use in RADIUS-assigned ACLs to configure ACEs to filter IPv4 and IPv6 traffic.

Entry for IPv4-Only ACE To Filter Client Traffic:

Nas-filter-Rule="<permit or deny ACE> "(Standard Attribute 92)

For example:

Nas-filter-Rule=permit in tcp from any to any

Entries for IPv4/IPv6 ACE To Filter Client Traffic:

HP-Nas-Rules-IPv6 <1 2> (VSA, where 1=IPv4 and IPv6 traffic, and 2=IPv4-only traffic.)

c Nas-filter-Rule="<permit or deny ACE> "(Standard Attribute 92)

For example:

HP-Nas-Rules-IPv6=1
Nas-filter-Rule="permit in tcp from any to any"

[NOTE: ]

NOTE: If HP-Nas-Rules-IPv6 is set to 2 or is not present in the ACL, IPv6 traffic from the client is dropped. For details on the IPv6 option, see Nas-Filter-Rule-Options.


Set IP Mode

Used with the Nas-filter-Rule attribute described above to provide IPv6 traffic-filtering capability in an ACE.

HP-Nas-Rules-IPv6: 63 (Vendor-Specific Attribute)

When using the standard attribute (92) described above in a RADIUS-assigned ACL to support both IPv4 and IPv6 traffic inbound from an authenticated client, one instance of this VSA must be included in the ACL. Note that this attribute supports either of the following IP modes for Nas-filter-Rule ACEs:

  • both IPv6 and IPv4 traffic

  • only IPv4 traffic

HP vendor-specific ID: 11

VSA: 63 (string=HP-Nas-Rules-IPv6)

  • IPv6 and IPv4 ACLs: integer = 1(Using this option causes the ACL to filter both IPv4 and IPv6 traffic.)

  • IPv4-only ACLs: integer=2 (Using this option causes the ACL to drop any IPv6 traffic received from the authenticated client.)

Setting: HP-Nas-Rules-IPv6=<1

2> Nas-filter-Rule "<permit or deny ACE> "


[NOTE: ]

NOTE: When the configured integer option is "1", the any keyword used as a destination applies to both IPv4 and IPv6 destinations for the selected traffic type (such as Telnet). Thus, if you want the IPv4 and IPv6 versions of the selected traffic type to both go to their respective "any" destinations, then a single ACE is needed for the selected traffic type. For example:

HP-Nas-Rules-IPv6=1
Nas-filter-Rule="permit in tcp from any to any 23"


However, if you do not want both the IPv4 and IPv6 traffic of the selected type to go to their respective "any" destinations, then two ACEs with explicit destination addresses are needed. In this case, do one of the following:

  • Use 0.0.0.0/0 in one ACE to specify the "any" destination for IPv4 traffic, and use a specific IPv6 address for the destination in the other ACE.

  • Use ::/0 in one ACE to specify the "any" destination for IPv6 traffic, and use a specific IPv4 address for the destination in the other ACE.

For example, if you want to allow the IPv4 Telnet traffic from a client to go to any destination, but you want the IPv6 Telnet traffic from the same client to go only to a specific address or group of addresses, you must distinguish the separate destinations. This is done by using explicit addresses for the "any" destinations. For example:

HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"
Nas-filter-Rule="deny in tcp from any to fe80::b1 23"

The above example sends IPv4 Telnet traffic to its "any" destination, but allows IPv6 Telnet traffic only to fe80::b1 23. To reverse this example, you would configure ACEs such as the following:

HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"
Nas-filter-Rule="deny in tcp from any to ::/0 23"

In cases where you do not want the selected traffic type for either IPv4 or IPv6 to go to the "any" destination, you must use two ACEs to specify the destination addresses. For example:

HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"
Nas-filter-Rule="deny in tcp from any to fe80::23 23"

To use the IPv6 VSA while allowing only IPv4 traffic to be filtered, you would use a configuration such as the following:

HP-Nas-Rules-IPv6=2 Nas-filter-Rule="permit in tcp from any to any"

IPv4-only ACLs applied to client traffic inbound to the switch

Assigns a RADIUS-configured IPv4 ACL to filter inbound IPv4 packets received from a specific client authenticated on a switch port.

HP-Nas-Filter-rule (Vendor-Specific Attribute): 61

This attribute is maintained for legacy purposes (for configurations predating software release K.14.01) to support ACEs in RADIUS-assigned ACLs capable of filtering only IPv4 traffic. However, for new or updated configurations (and any configurations supporting IPv6 traffic filtering) Hewlett Packard Enterprise recommends using the Standard Attribute (92) described earlier in this table instead of the HP-Nas-filter-Rule attribute described here.

HP vendor-specific ID: 11

VSA: 61 (string=HP-Nas-Filter-Rule

Setting: HP-Nas-filter-Rule="<permit or deny ACE> "


[NOTE: ]

NOTE: An ACL applying this VSA to inbound traffic from an authenticated client drops any IPv6 traffic from the client.


ACE syntax in RADIUS servers

The following information describes ACE syntax configuration options in a RADIUS server.

ACE syntax (standard attribute-92)

Nas-filter-Rule =" <permit | permit> in <ip | ip-protocol-value> from any to <any | host | <ip-addr> | ipv4-addr/mask | IPv6-address/prefix> [ <tcp/udp-port | tcp/udp-port range> ] [cnt]"

IPv6 VSA for standard attribute

[ HP-Nas-Rules-IPv6= | <1 | 2> ]

For an example of how to apply this VSA, see Configuring a FreeRADIUS server to filter IPv4 and IPv6 traffic for a client with correct credentials..

ACE syntax (legacy VSA-61)

Nas-filter-Rule =" <permit | permit> in <ip | ip-protocol-value> from any to <any | host | <ip-addr> | ipv4-addr/mask | IPv6-address/prefix> [ <tcp/udp-port | tcp/udp-port range> ] [cnt"]

This command specifies the standard attribute for filtering inbound IPv4 traffic from an authenticated client. When used without the VSA option (below) for filtering inbound IPv6 traffic from the client, drops the IPv6 traffic. See also Nas-Filter-Rule Attribute Options.

[ HP-Nas-Rules-IPv6= | <1 | 2> ]

You use the VSA in an ACL intended to filter IPv6 traffic. Settings include:

  • 1: ACE filters both IPv4 and IPv6 traffic.

  • 2: ACE filters IPv4 traffic and drops IPv6 traffic.

  • VSA not used: ACE filters IPv4 traffic and drops IPv6 traffic.

This VSA must be present in an ACL where the Nas-filter-Rule= attribute is intended to filter inbound IPv6 traffic from an authenticated client.

See also Nas-Filter-Rule Attribute Options.

HP-Nas-filter-Rule=

Legacy VSA for filtering inbound IPv4 traffic only from an authenticated client. Drops inbound IPv6 traffic from the client. See also Nas-Filter-Rule Attribute Options.

Must be used to enclose and identify a complete permit or deny ACE syntax statement. For example:

Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"

<permit | deny>

Specifies whether to forward or drop the identified IP traffic type from the authenticated client. (For information on explicitly permitting or denying all inbound IP traffic from an authenticated client, or for implicitly denying all such IP traffic not already permitted or denied, see Configuration notes.)

in

Required keyword specifying that the ACL applies only to the traffic inbound from the authenticated client.

<ip | ip-protocol-value>

Options for specifying the type of traffic to filter.

ip

Applies the ACE to all IP traffic from the authenticated client.

ip-protocol-value

This option applies the ACE to the type of IP traffic specified by either a protocol number or by tcp , udp ,icmp, or (for IPv4-only) igmp. The range of protocol numbers is 0-255. (Protocol numbers are defined in RFC 2780. For a complete listing, see "Protocol Registries" on the Web site of the Internet Assigned Numbers Authority at ( www.iana.com). Some examples of protocol numbers include:

1=ICMP 17=UDP

2=IGMP (IPv4 only) 41=IPv6

6=TCP

from any

Required keywords specifying the (authenticated) client source. (Note that a RADIUS-assigned ACL assigned to a port filters only the inbound traffic having a source MAC address that matches the MAC address of the client whose authentication invoked the ACL assignment.)

to

Required destination keyword.

any
  • Specifies any IPv4 destination address if one of the following is true:

    • the ACE uses the standard attribute ( Nas-filter-Rule) and the IPv6 VSA ( HP-Nas-Rules-IPv6) is not included the ACL. For example:

      Nas-filter-Rule="permit in tcp from any to any 23"
      Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
      Nas-filter-Rule+="deny in ip from any to any"
    • the ACE uses the standard attribute ( Nas-filter-Rule)and the IPv6 VSA ( HP-Nas-Rules-IPv6) is included in the ACL with an integer setting of 2. For example, all of the following destinations are for IPv4 traffic:

      HP-Nas-Rules-IPv6=2
      Nas-filter-Rule="permit in tcp from any to any 23"
      Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
      Nas-filter-Rule+="deny in ip from any to any"
    • the HP-Nas-Filter-Rule VSA is used instead of either of the above options. For example, all of the following destinations are for IPv4 traffic:

      HP-Nas-filter-Rule="permit in tcp from any to any 23"
      HP-Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
      HP-Nas-filter-Rule+="deny in ip from any to any"
  • Specifies any IPv4 or IPv6 destination address if the ACL uses the HP-Nas-Rules-IPv6 VSA with an integer setting of 1. See Nas-Filter-Rule Attribute Options. For example, the any destinations in the following ACL apply to both IPv4 and IPv6 traffic:

    HP-Nas-Rules-IPv6=1Nas-filter-Rule="permit in tcp from any to any 23"
    Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
    Nas-filter-Rule+="permit in ip from any to fe80::d1:1/120"
    Nas-filter-Rule+="deny in ip from any to any"

host <ipv4-addr>

Specifies a single destination IPv4 address.

<ipv4-addr/<mask>

Specifies a series of contiguous destination addresses or all destination addresses in a subnet. The <mask> is CIDR notation for the number of leftmost bits in a packet's destination IPv4 address that must match the corresponding bits in the destination IPv4 address listed in the ACE. For example, a destination of 10.100.17.1/24 in the ACE means that a match occurs when an inbound packet (of the designated IPv4 type) from the authenticated client has a destination IPv4 address where the first three octets are 10.100.17. (The fourth octet is a wildcard, and can be any value up to 255.)

host <ipv6-addr>

Specifies a single destination IPv6 address.

Note: Filtering IPv6 traffic requires the Standard Attribute(Nas-Filter-Rule)with the HP-Nas-Rules-IPv6 VSA set to 1. See Nas-Filter-Rule Attribute Options.

<ipv6-addr/<prefix>

Specifies a series of contiguous destination addresses or all destination addresses in a subnet. The <prefix> specifies the number of leftmost bits in a packet's destination IPv6 address that must match the corresponding bits in the destination IPv6 address listed in the ACE. For example, a destination of FE80::1b:127/112 in the ACE means that a match occurs when an inbound packet (of the designated IPv6 type) from the authenticated client has a destination IPv6 address where the first 112 are FE80::1b. (The last 16 bits in the address configured in the ACE form a "wildcard", and can be any value from 0 to FFFF.) Also, see Note, above.

[ tcp/udp-port | tcp/udp-port-range ]

Optional TCP or UDP port specifier. Used when the ACE is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers. You can specify port numbers as individual values and ranges. For example, the following ACE shows two ways to deny any UDP traffic from an authenticated client that has a DA of any address and a UDP destination port of 135, 137-139, or 445:

deny in udp from any to any 135, 137-139, 445
deny in 17 from any to any 135, 137-139, 445

[ icmp-type | icmpv6-type ]

Optional ICMP type specifier. This can be either a keyword or an ICMP type number. For a listing of numbers and types, see ICMP type numbers and keywords.

[ cnt ]

Optional counter specifier for a RADIUS-assigned ACE. When used, the counter increments each time there is a "match" with the ACE. This option does not require that you configure the switch for RADIUS accounting.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Configuration notes

Explicitly permit IPv4 and IPv6 traffic from an authenticated client

This option for ending a RADIUS-assigned ACL permits all of the client's inbound IPv4 and IPv6 traffic not previously permitted or denied.

Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=1

See Nas-Filter-Rule Attribute Options for information on the above attributes.

Explicitly permit only the IPv4 traffic from an authenticated client

Any of the following three options for ending a RADIUS-assigned ACL explicitly permit all of the client's inbound IPv4 traffic not previously permitted or denied. These options also deny any of the client's IPv6 traffic not previously permitted or denied.

  • Nas-filter-Rule += permit in ip from any to any

(Using this attribute to permit IPv4 traffic from the client while denying any IPv6 traffic from the client assumes that HP-Nas-Rules-IPv6=1does not exist elsewhere in the ACL. See Nas-Filter-Rule Attribute Options for more on HP-Nas-Rules-IPv6.)

  • HP-Nas-Filter-Rule += permit in ip from any to any
  • Nas-filter-Rule += permit in ip from any to any HP-Nas-Rules-IPv6=2

Explicitly denying inbound traffic from an authenticated client

Any of the following three options for ending a RADIUS-assigned ACL explicitly deny all of the client's inbound IPv4 and IPv6 traffic not previously permitted or denied.

  • Nas-filter-Rule += deny in ip from any to any
  • HP-Nas-Filter-Rule += deny in ip from any to any
  • Nas-filter-Rule += deny in ip from any to any HP-Nas-Rules-IPv6=2

Implicitly denying any IP traffic

For any packet being filtered by a RADIUS-assigned ACL, there is always a match. That is, any packet that does not have a match with an explicit permit or deny ACE in the list matches with the implicit deny any any ACE automatically included at the end of the ACL. That is, a RADIUS-assigned ACL includes an implicit deny in ip from any to any ACE at the end of the ACL to deny any IPv4 and IPv6 traffic not previously permitted or denied.

Monitoring shared resources

Currently active, RADIUS-based authentication sessions (including IDM client sessions) using RADIUS-assigned ACLs share internal switch resources with several other features. The switch provides ample resources for all features. However, if the internal resources do become fully subscribed, new RADIUS-based sessions using RADIUS-assigned ACLs cannot be authenticated until the necessary resources are released from other applications.

  • For information on determining the current resource availability and usage, see “Monitoring Resources" in the management and configuration guide for your switch.

  • For a summary of ACL resource limits, see the topics covering scalability in the latest management and configuration guide for your switch.

Event log messages

See the Event Log message reference guide for information about Event Log messages.

Causes of client deauthentication immediately after authenticating

  • ACE formatted incorrectly in the RADIUS server

    • from,any, or to keyword missing.

    • An IPv4 or IPv6 protocol number in the ACE exceeds 255.

    • An optional UDP or TCP port number is invalid, or a UDP/TCP port number is specified when the protocol is neither UDP or TCP.

  • A RADIUS-assigned ACL limit has been exceeded.

    • An ACE in the ACL for a given authenticated client exceeds 80 characters.

    • The TCP/UDP port-range quantity of 14 per slot or port group has been exceeded.

    • The rule limit of 3048 per slot or port group has been exceeded.

  • An IPv6 ACE has been received on a port and either the HP-Nas-Rules-IPv6 attribute is missing or HP-Nas-Rules-IPv6=2 is configured. See Nas-Filter-Rule Attribute Options for more on this attribute.