Configuring Radius assigned ACLs

Procedure to support RADIUS-assigned ACLs

An ACL configured in a RADIUS server is identified by the authentication credentials of the client or group of clients the ACL is designed to support. When a client authenticates with credentials associated with a particular ACL, the switch applies that ACL to the switch port the client is using. To enable the switch to forward a client's credentials to the RADIUS server, you must first configure RADIUS operation and an authentication method on the switch.

Configure RADIUS operation on the switch:

Syntax

radius-server host <ipv4-address> key <key-string>

This command configures the IPv4 address and encryption key of a RADIUS server. The server should be accessible to the switch and configured to support authentication requests from clients using the switch to access the network.

Configure RADIUS network accounting on the switch (optional).

aaa accounting network <start-stop | stop-only> radius

You can also view ACL counter hits using either of the following commands:

show access-list radius port-list

show port-access <authenticator | mac-based | web-based> port-list clients detailed


	NOTE: See the documentation provided with your RADIUS server for information on how the server receives and manages network accounting information, and how to perform any configuration steps necessary to enable the server to support network accounting data from the switch.

Configure an authentication method. Options include 802.1X, web-based authentication, and MAC authentication. You can configure 802.1X, web-based authentication, and MAC authentication to operate simultaneously on the same ports.

`802.1X Option:`	Syntax `aaa port-access authenticator` `<port-list>` `aaa authentication port-access chap-radiusaaa port-access authenticator active` These commands configure 802.1X port-based access control on the switch, and activates this feature on the specified ports. For more on 802.1X configuration and operation, see User authentication methods.
`MAC Authentication Option:`	Syntax `aaa port-access mac-based` `<port-list>` This command configures MAC authentication on the switch and activates this feature on the specified ports. For more on MAC authentication, see Web-based and MAC authentication.
`Web Authentication Option:`	Syntax `aaa port-access web-based` `<port-list>` This command configures web-based authentication on the switch and activates this feature on the specified ports. For more on web-based authentication, see Web-based and MAC authentication.

Show RADIUS-assigned ACL activity

Syntax

show access-list radius <port-list>

The output data indicates the current ACL activity imposed per-port by RADIUS server responses to client authentication.

For the specified ports, this command lists:
Whether the ACL for the indicated client is configured to filter IPv4 traffic only, or both IPv4 and IPv6 traffic. See Nas-Filter-Rule Attribute Options for more on this topic.

The explicit ACEs, switch port, and client MAC address for each ACL dynamically assigned by a RADIUS server as a response to client authentication.

If cnt (counter) is included in an ACE, then the output includes the current number of inbound packet matches the switch has detected in the current session for that ACE, see ACE syntax in RADIUS servers.

Note: If there are no ACLs currently assigned to any port in <port-list>, executing this command returns only the system prompt. If a client authenticates but the server does not return a RADIUS-assigned ACL to the client port, then the server does not have a valid ACL configured and assigned to that client's authentication credentials.

Example

The following output shows that a RADIUS server has assigned an ACL to port B1 to filter inbound traffic from an authenticated client identified by a MAC address of 00-17-A4-E6-D7-87.

A RADIUS-assigned ACL application to a currently active client session

Syntax

show port-access <web-based | mac-based | authenticator> clients <port-list> detailed

For ports in <port-list> configured for authentication, this command shows the details of the RADIUS-assigned features listed below that are active as the result of a client authentication. (Ports in <port-list> that are not configured for authentication are not listed.)

Client Base Details

Port	Port number of port configured for authentication.
Session Status	Indicates whether there is an authenticated client session active on the port. Options include `authenticated` and `unauthenticated`.
Username	During an authenticated session, shows the user name of the authenticated client. If the client is not authenticated, this field is empty.
IP	Shows the authenticated client's IP address, if available. Requires DHCP snooping enabled on the switch. When "n/a" appears in the field, the switch has not been able to acquire the client's IP address. Note: Where the client IP address is available to the switch, it can take a minute or longer for the switch to learn the address. For more on this topic, see Configuring RADIUS accounting.
Session Time (sec)	For an unauthenticated session, indicates the elapsed time in seconds since the client was detected on the port. For an authenticated session, this indicates the elapsed time in seconds since the client was authenticated on the port.
MAC Address	During an authenticated session, shows the MAC address of the authenticated client.

Access Policy Details

COS Map	Indicates the 802.1p priority assigned by the RADIUS server for traffic inbound on the port from an authenticated client. The field shows an eight-digit value where all digits show the same, assigned 802.1p number. For example, if the assigned 802.1p value is 5, then this field shows `55555555`. If an 802.1p priority has not been assigned by the RADIUS server, this field shows `Not Defined`.
`Untagged VLAN`	VLAN ID (VID) of the untagged VLAN currently supporting the authenticated connection.
Tagged VLANs	VLAN IDs (VIDs) of any tagged VLANs currently supporting the authenticated connection.
RADIUS ACL List	Lists the explicit ACEs in the ACL assigned to the port for the authenticated client. Includes the ACE "Hit Count" (matches) for ACEs configured with the `cnt` option, see ACE syntax in RADIUS servers. If a RADIUS ACL for the authenticated client is not assigned to the port, `No Radius ACL List` appears in this field.
In Limit Kbps	Indicates the ingress rate-limit assigned by the RADIUS server to the port for traffic inbound from the authenticated client. If there is no ingress rate-limit assigned, then `Not Set` appears in this field.
Out Limit Kbps	Indicates the egress rate-limit assigned by the RADIUS server to the port for traffic outbound to the authenticated client. If there is no egress rate-limit assigned, then `Not Set` appears in this field.

Output showing current RADIUS-applied features

ICMP type numbers and keywords

IPv4 ICMP	IPv6 ICMP
0 3 4 5 8 9 10 11 12 13 14 15 16 17 18	echo reply destination unreachable source quench redirect echo request router advertisement router solicitation time-to-live exceeded IP header bad timestamp request timestamp reply information request information reply address mask request address mask reply	1 2 3 4 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 151 152 153	destination unreachable packet too big time exceeded parameter problem echo request echo reply multicast listener query multicast listener reply multicast listener done router solicitation router advertisement neighbor solicitation neighbor advertisement redirect message router renumbering icmp node information query icmp node information response inverse neighbor discovery solicitation message inverse neighbor discovery advertisement message version 2 multicast listener report home agent address discovery request message home agent address discovery reply message mobile prefix solicitation mobile prefix advertisement certification path solicitation message certification path advertisement message multicast router advertisement multicast router solicitation multicast router termination

IPv4 ICMP

IPv6 ICMP

Keyword

echo reply

destination unreachable

source quench

redirect

echo request

router advertisement

router solicitation

time-to-live exceeded

IP header bad

timestamp request

timestamp reply

information request

information reply

address mask request

address mask reply

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

151

152

153

destination unreachable

packet too big

time exceeded

parameter problem

echo request

echo reply

multicast listener query

multicast listener reply

multicast listener done

router solicitation

router advertisement

neighbor solicitation

neighbor advertisement

redirect message

router renumbering

icmp node information query

icmp node information response

inverse neighbor discovery solicitation message

inverse neighbor discovery advertisement message

version 2 multicast listener report

home agent address discovery request message

home agent address discovery reply message

mobile prefix solicitation

mobile prefix advertisement

certification path solicitation message

certification path advertisement message

multicast router advertisement

multicast router solicitation

multicast router termination

prev	up	next
RADIUS services supported on HPE switches	home	Viewing

Configuring Radius assigned ACLs

Procedure to support RADIUS-assigned ACLs

​Syntax

​Syntax

​Syntax

​Syntax

Show RADIUS-assigned ACL activity

​Syntax

​Example

​Syntax

​Client Base Details

​Access Policy Details

Syntax

Syntax

Syntax

Syntax

Syntax

Example

Syntax

Client Base Details

Access Policy Details