Viewing
Syntax
mac-based clients
[port-list
]detail
authenticator clients
[port-list
]detail
If the switch receives an 802.1p priority (CoS) and rate-limit settings from a RADIUS server as the result of a client authentication on a port, the above commands display the assigned values while the client's session is active. When the session ends, the values for that client are no longer displayed.
The priority and inbound (ingress) rate-limit are applied only to the inbound traffic of the client whose authentication triggered the assignment. The outbound (egress) rate-limit applies to all outbound traffic on the port.
web-based
[port-list
]clients detail
Displays, for a Web authenticated client (web-based authentication), the status of RADIUS-assignment details for that client. See Viewing status of ports enabled for web-based authentication.
mac-based
[port-list
]clients detail
Displays, for a MAC authenticated client (MAC-Auth), the status of RADIUS-assignment details for that client.
authenticator
[port-list
]clients detail
Displays, for an 802.1X- authenticated client, the status of RADIUS-assignment details for that client.
Example
Suppose port 4 has been statically configured from the CLI with the following:
802.1p priority: 7
Inbound rate-limit: 50 percent
Outbound rate-limit: 50 percent
The above, statically configured, per-port priority and inbound rate-limit settings do not apply to any clients who authenticate and receive different inbound priority and rate-limit settings from the RADIUS server. If the RADIUS server also assigns an outbound rate-limit setting, which is applied per-port instead of per-client, then the outbound traffic from the port to all connected clients are rate-limited according to the value set by the server for the most recently authenticated client. Thus, if client "X" authenticates with web-based authentication on port 4 with a RADIUS server that assigns a priority of 3, an inbound rate-limit of 10,000 kbps, and an outbound rate-limit of 50,000 kbps, then:
The inbound traffic from client "X" is subject to a priority of 3 and inbound rate-limit of 10,000 kbps. Traffic from other clients using the port is not affected by these values.
The combined rate-limit outbound for all clients using the port is 50,000 kbps until either all client sessions end, or another client authenticates and receives a different outbound rate-limit.
NOTE: Mixing CLI-configured and RADIUS-assigned rate-limiting on the same port can produce unexpected results. See Per-port bandwidth override.
Where multiple clients are currently authenticated on a given port where outbound (egress) rate-limiting values have been assigned by a RADIUS server, the port operates with the outbound rate-limit assigned by RADIUS for the most recently authenticated client. Any earlier outbound rate-limit values assigned on the same port for other authenticated client sessions that are still active are superseded by the most recent RADIUS-assigned value. For example, if client "X" is authenticated with an outbound rate-limit of 750 kbps, and client "Y" later becomes authenticated with an outbound rate-limit of 500 kbps while the session for client "X" is still active, then the port operates with an outbound rate-limit of 500 kbps for both clients.
While a RADIUS-assigned client session is active on a given port, any RADIUS-imposed values for the settings listed in Application of RADIUS-Assigned Values are applied as shown:
Application of RADIUS-Assigned Values
Dynamic RADIUS assignment options Static per-port setting options Application of dynamic RADIUS assignment 802.1p Priority (CoS)
qos priority
<0 - 7>
Applies per-client; that is, only to client whose authentication triggered the assignment. (Up to 32 clients supported per-port.) Inbound (Ingress) Rate-Limiting
rate-limit
<all
|bcast
|icmp
|mcast>
in
<kbps
|percent>
Outbound (Egress) Rate-Limiting
rate-limit
<all
|bcast
|icmp
|mcast>
out
<kbps
|percent>
Applies per-port; that is, to all clients on the port.[a] [a] Uses the value assigned to the port by the most recent instance of client authentication.
Show rate-limiting and port priority for ports
Syntax
Configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS
The Standard attribute (92), when used in an
ACL without the hp-nas-rules-ipv6 vsa
, filters
IPv4 traffic inbound from the authenticated client (any IPv6 traffic
inbound from the client is dropped.) The following procedure show
the configuring of a RADIUS-assigned IPv4 ACL supported by FreeRADIUS
using the standard attribute for two different client identification
methods (user name/password and MAC address).
Enter the ACL standard attribute in the Free RADIUS
dictionary.rfc4849
file.ATTRIBUTE Nas-FILTER-Rule 92
Enter the switch IP address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS
clients.conf
file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file:Switch identity information for a freeRADIUS application
For a given client user name/password pair or MAC address, create an ACL by entering one or more ACEs in the FreeRADIUS "users" file. Remember that every ACL created automatically includes an implicit deny in ip from any to any ACE.
For example, to create identical ACL support for the following:
Client having a user name of "mobilE011" and a password of "run10kFast"
Client having a MAC address of 08 E9 9C 4F 00 19
The ACL in this example must achieve the following:
Permit http (TCP port 80) traffic from the client to the device at 10.10.10.101
Deny http (TCP port 80) traffic from the client to all other devices
Permit all other traffic from the client to all other devices
NOTE: For information on syntax details for RADIUS-assigned ACLs, see Using HPE VSA 63 to assign IPv6 and IPv4 ACLs.
To configure the above ACL, enter the user name/password and ACE information shown in Configuring the FreeRADIUS server to support ACLs for the indicated clients.
Using HPE VSA 63 to assign IPv6 and IPv4 ACLs
The ACL VSA hp-nas-rules-ipv6=1
is
used in conjunction with the standard attribute (nas-filter-rule
)
for ACL assignments filtering both IPv6 and IPv4 traffic inbound from
an authenticated client. For example, to use these attributes to configure
a RADIUS-assigned ACL on a FreeRADIUS server to filter both IPv6 and
IPv4 ACLs, perform these steps:
Enter the following in the FreeRADIUS
dictionary.hp
file:HP vendor-specific ID
ACL VSA for IPv6 ACLs (63)
HP-Nas-Rules-IPv6 VALUE setting to specify both IPv4 and IPv6 (1)
Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file:
Switch identity information for a freeRADIUS application
For a given client user name/password pair, create an ACL by entering one or more IPv6 and IPv4 ACEs in the FreeRADIUS "users" file. Remember that the ACL created to filter both IPv4 and IPv6 traffic automatically includes an implicit deny in ip from any to any ACE at the end of the ACL in order to drop any IPv4 and IPv6 traffic that is not explicitly permitted or denied by the ACL. For example, to create ACL support for a client having a user name of "Admin01" and a password of "myAuth9". The ACL in this example must achieve the following:
Permit http (TCP port 80) traffic from the client to the device at FE80::a40.
Deny http (TCP port 80) traffic from the client to all other IPv6 addresses.
Permit http (TCP port 80) traffic from the client to the device at 10.10.10.117.
Deny http (TCP port 80) traffic from the client to all other IPv4 addresses.
Deny Telnet (TCP port 23) traffic from the client to any IPv4 or IPv6 addresses.
Permit all other IPv4 and IPv6 traffic from the client to all other devices.
To configure the above ACL, enter the user name/password and ACE information, as shown in this example:
Configuring a FreeRADIUS server to filter IPv4 and IPv6 traffic for a client with correct credentials.
Using HPE VSA 61 to assign IPv4 ACLs
Software release K.14.01 continues to support the VSA 61 vendor-specific method of earlier releases for enabling RADIUS-based IPv4 ACL assignments on the switch. The recommended use of this option is to support legacy ACL configurations that rely on VSA 61. Beginning with software release K.14.01, Hewlett Packard Enterprise recommends using the standard attribute (92) for new, RADIUS-based IPv4 ACLs, see Nas-Filter-Rule-Options, and Configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS.
This example uses the VSA attribute 61 for configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS for two different client identification methods (user name/password and MAC address).
Enter the HP vendor-specific ID and the ACL VSA in the FreeRADIUS dictionary file:
Configuring the VSA for RADIUS-assigned IPv4 ACLs in a FreeRADIUS server
Enter the switch IPv4 address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS
clients.conf
file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server'sclients.conf
file:Switch identity information for a freeRADIUS application
For a given client user name/password pair, create an ACL by entering one or more IPv4 ACEs in the FreeRADIUS "users" file. Remember that the ACL created to filter IPv4 traffic automatically includes an implicit
deny in ip from any
to any ACE (for IPv4). For example, to create ACL support for a client having a user name of "User-10" and a password of "auth7X". The ACL in this example must achieve the following:Permit http (TCP port 80) traffic from the client to the device at 10.10.10.117.
Deny http (TCP port 80) traffic from the client to all other IPv4 addresses.
Deny Telnet (TCP port 23) traffic from the client to any IPv4 address.
Permit all other IPv4 traffic from the client to all other devices.
To configure the above ACL, you would enter the user name/password and ACE information shown in Configuring a FreeRADIUS server to filter IPv4 traffic for a client with the correct credentials into the FreeRADIUS "users" file.