RADIUS filter-id

IP traffic filter rules, also known as IP ACLs, provide a user access policy that defines what IP traffic from the user is permitted. IP ACLs can be specified in two ways:

  • By using the filter-id attribute that gives the ID of a pre-defined ACL. A filter-id is an alphabetic-string identifier, or name, corresponding to an IP ACL that is pre-configured on the access-control device.

  • By using the NAS-filter-rule attribute which explicitly defines a set of filter rules.

Filter-id attributes and NAS-Filter-Rule attributes may be intermixed in the RADIUS user entry. Filter-id attributes are expanded as they are read so they are added to the ACL in the correct order.


[NOTE: ]

NOTE: This feature does not modify any existing commands. CLI show commands currently display the applied RADIUS defined ACL rules. ACL rules specified by a filter-id attribute are expanded and displayed as if they were NAS-Filter-Rule entries. The list of rules will be a snapshot of the CLI ACL at the time of authentication. Updates to the ACL are not applied until the client reauthenticates.


A filter-id name may refer to an IPv4 ACL, an IPv6 ACL, or both. ACLs for both families are checked and expanded if found. All other ACL types, including MAC and router ACLs, are ignored when processing filter-id attributes. Any number of filter-id attributes may be specified subject to length limitations of a RADIUS packet. The limit for all platforms is 100 ACEs per client ACL.


[NOTE: ]

NOTE: RADIUS ACL rules do not support source IP or source L4 port qualifiers. If any source IP or source L4 port qualifiers are found in the CLI ACL, the client will fail authentication and an error will be logged.

CLI ACLs include an optional log keyword that captures rule hits for debugging. No logging for ACL rules that are applied via filter-id is available. However, all rules from ACLs have an implicit cnt keyword which allows the administrator to see the hit count for each rule.


RADIUS user entry

NAS-Filter-Rule += "permit in 10 from any to any cnt",
Filter-ID += "104",
NAS-Filter-Rule += "permit in 30 from any to any cnt",
Filter-ID += "106",
NAS-Filter-Rule += "permit in 55 from any to any cnt",
Filter-ID += "146",
NAS-Filter-Rule += "permit in 70 from any to any cnt",

Forcing reauthentication

Syntax

aaa port-access authenticator|mac-based|web-based port-list reauthenticate

A manager may force a reauthentication by using this command.


[NOTE: ]

NOTE: RADIUS Filter-Rule entries are only allowed to contain IPv6 addresses if the hp-nas-rules-ipv6 attribute is set. This does not apply to filter-id ACLs. If there is an IPv6 ACL of the name given, it will be applied even if hp-nas-rules-ipv6 is not set.


show access-list radius

Syntax

show running config

Examples of system configuration for show running config

ip access-list extended "104"
10 permit 20 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log
exit
ip access-list extended "146"
10 permit 64 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ipv6 access-list "106"
10 permit 40 ::/0 ::/0 log
exit
ipv6 access-list "146"
10 permit 66 ::/0 ::/0
exit

Show access-list (NAS rule) and (filter-id)


[NOTE: ]

NOTE: There is a legacy attribute named hp-nas-filter-rule that was in use before the nas-filter-rule was standardized in RFC 4849. Switches still support the hp-nas-filter-rule for backwards compatibility, but this rule should not be mixed with the newer nas-filter-rule or filter-id attributes. With mixed ACEs will not be applied in the order listed, which may block traffic that should be permitted or may permit traffic that should be blocked. No error message is produced to inform the user that mixing current and legacy attributes will lead to unexpected results.


Syntax

show access-list radius

Show access-list radius (NAS rule)

Radius‐configured Port‐based ACL for
Port 1/1, Client ‐‐ 24BE05‐76DA40

IPv6 ACLs enabled (HP‐Nas‐Rules‐Ipv6): FALSE
permit in 10 from any to any cnt
Packet Hit Counter 0
permit in 20 from any to 0.0.0.0 255.255.255.255 cnt
(IP ACL 104, rule 10)
Packet Hit Counter 0
permit in 30 from any to any cnt
Packet Hit Counter 0
permit in 40 from any to ::/0 cnt
(IPv6 ACL 106, rule 10)
Packet Hit Counter 0
permit in 55 from any to any cnt
Packet Hit Counter 0
permit in 64 from any to 0.0.0.0 255.255.255.255 cnt
(IP ACL 146, rule 10)
Packet Hit Counter 0
permit in 66 from any to ::/0 cnt
(IPv6 ACL 146, rule 10)
Packet Hit Counter 0
permit in 70 from any to any cnt
Packet Hit Counter 0

[NOTE: ]

NOTE: The output will show IPv6 rules with a prefix of IPv6 and show IPv4 rules with a prefix of IP.


Log messages

Event

Message

dca_filter_id_match_not_found –

This event is logged when the ACL name given in a filter-id attribute does not match any existing ‘ip’ or ‘ipv6’ access-list.

Authentication failed for client <mac> on port <port>: unknown ACL name in attribute filter-id.

rmon_dca_acl_has_source_qualifier –

This event is logged when the ACL given in a filter-id attribute contains an ACE that has a source IP address or source tcp/udp port qualifier.

Authentication failed for client <mac> on port <port>: the ACL specified by the filter-id attribute contains a source address or application port qualifier.

Event message

W 10/20/14 15:26:17 03214 dca: Authentication failed for client 0025618D7920 on 
port 1: unknown ACL name in attribute filter-id.

W 10/20/14 15:26:17 03215 dca: Authentication failed for client 0025618D7920 on
port 1: the ACL specified by the filter-id attribute contains a source address or 
application port qualifier.