Viewing

Show active per-port CoS and rate-limiting configuration

Syntax

show port-access
web-based clients [port-list] detail

mac-based clients [port-list] detail

authenticator clients [port-list] detail

If the switch receives an 802.1p priority (CoS) and rate-limit settings from a RADIUS server as the result of a client authentication on a port, the above commands display the assigned values while the client's session is active. When the session ends, the values for that client are no longer displayed.

The priority and inbound (ingress) rate-limit are applied only to the inbound traffic of the client whose authentication triggered the assignment. The outbound (egress) rate-limit applies to all outbound traffic on the port.

web-based [port-list] clients detail

Displays, for a Web authenticated client (web-based authentication), the status of RADIUS-assignment details for that client. See Viewing status of ports enabled for web-based authentication.

mac-based [port-list] clients detail

Displays, for a MAC authenticated client (MAC-Auth), the status of RADIUS-assignment details for that client.

authenticator [port-list] clients detail

Displays, for an 802.1X- authenticated client, the status of RADIUS-assignment details for that client.

Example

Suppose port 4 has been statically configured from the CLI with the following:

  • 802.1p priority: 7

  • Inbound rate-limit: 50 percent

  • Outbound rate-limit: 50 percent

The above, statically configured, per-port priority and inbound rate-limit settings do not apply to any clients who authenticate and receive different inbound priority and rate-limit settings from the RADIUS server. If the RADIUS server also assigns an outbound rate-limit setting, which is applied per-port instead of per-client, then the outbound traffic from the port to all connected clients are rate-limited according to the value set by the server for the most recently authenticated client. Thus, if client "X" authenticates with web-based authentication on port 4 with a RADIUS server that assigns a priority of 3, an inbound rate-limit of 10,000 kbps, and an outbound rate-limit of 50,000 kbps, then:

  • The inbound traffic from client "X" is subject to a priority of 3 and inbound rate-limit of 10,000 kbps. Traffic from other clients using the port is not affected by these values.

  • The combined rate-limit outbound for all clients using the port is 50,000 kbps until either all client sessions end, or another client authenticates and receives a different outbound rate-limit.


[NOTE: ]

NOTE: Mixing CLI-configured and RADIUS-assigned rate-limiting on the same port can produce unexpected results. See Per-port bandwidth override.

Where multiple clients are currently authenticated on a given port where outbound (egress) rate-limiting values have been assigned by a RADIUS server, the port operates with the outbound rate-limit assigned by RADIUS for the most recently authenticated client. Any earlier outbound rate-limit values assigned on the same port for other authenticated client sessions that are still active are superseded by the most recent RADIUS-assigned value. For example, if client "X" is authenticated with an outbound rate-limit of 750 kbps, and client "Y" later becomes authenticated with an outbound rate-limit of 500 kbps while the session for client "X" is still active, then the port operates with an outbound rate-limit of 500 kbps for both clients.


While a RADIUS-assigned client session is active on a given port, any RADIUS-imposed values for the settings listed in Application of RADIUS-Assigned Values are applied as shown:

Application of RADIUS-Assigned Values

Dynamic RADIUS assignment options Static per-port setting options Application of dynamic RADIUS assignment
802.1p Priority (CoS)

qos priority <0 - 7>

Applies per-client; that is, only to client whose authentication triggered the assignment. (Up to 32 clients supported per-port.)
Inbound (Ingress) Rate-Limiting

rate-limit <all | bcast | icmp | mcast> in <kbps | percent>

 
Outbound (Egress) Rate-Limiting

rate-limit <all | bcast | icmp | mcast> out <kbps | percent>

Applies per-port; that is, to all clients on the port.[a]

[a] Uses the value assigned to the port by the most recent instance of client authentication.

Assignment method on port 10 802.1p Inbound rate-limit Outbound rate-limit
Statically Configured Values 7 100,000 kbs 100,000 kbs[a]
RADIUS-assigned when client "X" authenticates 3 10,000 kbs 50,000 kbs[a]

[a] Combined rate-limit output for all clients active on the port.

Results of client authentication on port 4

Show rate-limiting and port priority for ports

Syntax

show rate-limit all [port-list]show qos port-priority

These commands show the CLI-configured rate-limiting and port priority for the selected ports. They also include indications of RADIUS-assigned rate-limiting and client traffic priority settings for any clients that may be authenticated on the same ports.

Displaying rate-limiting for multiple ports (CLI and RADIUS)

Displaying priority for multiple ports (CLI and RADIUS)

Configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS

The Standard attribute (92), when used in an ACL without the hp-nas-rules-ipv6 vsa, filters IPv4 traffic inbound from the authenticated client (any IPv6 traffic inbound from the client is dropped.) The following procedure show the configuring of a RADIUS-assigned IPv4 ACL supported by FreeRADIUS using the standard attribute for two different client identification methods (user name/password and MAC address).

  1. Enter the ACL standard attribute in the Free RADIUS dictionary.rfc4849 file.

     ATTRIBUTE Nas-FILTER-Rule 92
  2. Enter the switch IP address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file:

    Switch identity information for a freeRADIUS application

    Switch identity information for a freeRADIUS application

  3. For a given client user name/password pair or MAC address, create an ACL by entering one or more ACEs in the FreeRADIUS "users" file. Remember that every ACL created automatically includes an implicit deny in ip from any to any ACE.

    For example, to create identical ACL support for the following:

    • Client having a user name of "mobilE011" and a password of "run10kFast"

    • Client having a MAC address of 08 E9 9C 4F 00 19

    The ACL in this example must achieve the following:

    • Permit http (TCP port 80) traffic from the client to the device at 10.10.10.101

    • Deny http (TCP port 80) traffic from the client to all other devices

    • Permit all other traffic from the client to all other devices


    [NOTE: ]

    NOTE: For information on syntax details for RADIUS-assigned ACLs, see Using HPE VSA 63 to assign IPv6 and IPv4 ACLs.


    To configure the above ACL, enter the user name/password and ACE information shown in Configuring the FreeRADIUS server to support ACLs for the indicated clients.

Configuring the FreeRADIUS server to support ACLs for the indicated clients

Using HPE VSA 63 to assign IPv6 and IPv4 ACLs

The ACL VSA hp-nas-rules-ipv6=1 is used in conjunction with the standard attribute (nas-filter-rule) for ACL assignments filtering both IPv6 and IPv4 traffic inbound from an authenticated client. For example, to use these attributes to configure a RADIUS-assigned ACL on a FreeRADIUS server to filter both IPv6 and IPv4 ACLs, perform these steps:

  1. Enter the following in the FreeRADIUS dictionary.hp file:

    • HP vendor-specific ID

    • ACL VSA for IPv6 ACLs (63)

    • HP-Nas-Rules-IPv6 VALUE setting to specify both IPv4 and IPv6 (1)

    Configuring the VSA for RADIUS-assigned IPv6 and IPv4 ACLs in a FreeRADIUS server

  2. Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file:

    Switch identity information for a freeRADIUS application

    Switch identity information for a freeRADIUS application

  3. For a given client user name/password pair, create an ACL by entering one or more IPv6 and IPv4 ACEs in the FreeRADIUS "users" file. Remember that the ACL created to filter both IPv4 and IPv6 traffic automatically includes an implicit deny in ip from any to any ACE at the end of the ACL in order to drop any IPv4 and IPv6 traffic that is not explicitly permitted or denied by the ACL. For example, to create ACL support for a client having a user name of "Admin01" and a password of "myAuth9". The ACL in this example must achieve the following:

    • Permit http (TCP port 80) traffic from the client to the device at FE80::a40.

    • Deny http (TCP port 80) traffic from the client to all other IPv6 addresses.

    • Permit http (TCP port 80) traffic from the client to the device at 10.10.10.117.

    • Deny http (TCP port 80) traffic from the client to all other IPv4 addresses.

    • Deny Telnet (TCP port 23) traffic from the client to any IPv4 or IPv6 addresses.

    • Permit all other IPv4 and IPv6 traffic from the client to all other devices.

    To configure the above ACL, enter the user name/password and ACE information, as shown in this example:

    Configuring a FreeRADIUS server to filter IPv4 and IPv6 traffic for a client with correct credentials.

    Configuring a FreeRADIUS server to filter IPv4 and IPv6 traffic for a client with correct credentials.

Using HPE VSA 61 to assign IPv4 ACLs

Software release K.14.01 continues to support the VSA 61 vendor-specific method of earlier releases for enabling RADIUS-based IPv4 ACL assignments on the switch. The recommended use of this option is to support legacy ACL configurations that rely on VSA 61. Beginning with software release K.14.01, Hewlett Packard Enterprise recommends using the standard attribute (92) for new, RADIUS-based IPv4 ACLs, see Nas-Filter-Rule-Options, and Configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS.

This example uses the VSA attribute 61 for configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS for two different client identification methods (user name/password and MAC address).

  1. Enter the HP vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file:

    Configuring the VSA for RADIUS-assigned IPv4 ACLs in a FreeRADIUS server

    Configuring the VSA for RADIUS-assigned IPv4 ACLs in a FreeRADIUS server

  2. Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file:

    Switch identity information for a freeRADIUS application

    Switch identity information for a freeRADIUS application

  3. For a given client user name/password pair, create an ACL by entering one or more IPv4 ACEs in the FreeRADIUS "users" file. Remember that the ACL created to filter IPv4 traffic automatically includes an implicit deny in ip from any to any ACE (for IPv4). For example, to create ACL support for a client having a user name of "User-10" and a password of "auth7X". The ACL in this example must achieve the following:

    • Permit http (TCP port 80) traffic from the client to the device at 10.10.10.117.

    • Deny http (TCP port 80) traffic from the client to all other IPv4 addresses.

    • Deny Telnet (TCP port 23) traffic from the client to any IPv4 address.

    • Permit all other IPv4 traffic from the client to all other devices.

    To configure the above ACL, you would enter the user name/password and ACE information shown in Configuring a FreeRADIUS server to filter IPv4 traffic for a client with the correct credentials into the FreeRADIUS "users" file.

    Configuring a FreeRADIUS server to filter IPv4 traffic for a client with the correct credentials