RADIUS filter-id
IP traffic filter rules, also known as IP ACLs, provide a user access policy that defines what IP traffic from the user is permitted. IP ACLs can be specified in two ways:
By using the filter-id attribute that gives the ID of a pre-defined ACL. A filter-id is an alphabetic-string identifier, or name, corresponding to an IP ACL that is pre-configured on the access-control device.
By using the NAS-filter-rule attribute which explicitly defines a set of filter rules.
Filter-id attributes and NAS-Filter-Rule attributes may be intermixed in the RADIUS user entry. Filter-id attributes are expanded as they are read so they are added to the ACL in the correct order.
NOTE: This feature does not modify any existing commands.
CLI | |
A filter-id name may refer to an IPv4 ACL, an IPv6 ACL, or both. ACLs for both families are checked and expanded if found. All other ACL types, including MAC and router ACLs, are ignored when processing filter-id attributes. Any number of filter-id attributes may be specified subject to length limitations of a RADIUS packet. The limit for all platforms is 100 ACEs per client ACL.
NOTE: RADIUS ACL rules do not support source IP or source L4 port qualifiers. If any source IP or source L4 port qualifiers are found in the CLI ACL, the client will fail authentication and an error will be logged. CLI ACLs include an optional | |
RADIUS user entry
NAS-Filter-Rule += "permit in 10 from any to any cnt", Filter-ID += "104", NAS-Filter-Rule += "permit in 30 from any to any cnt", Filter-ID += "106", NAS-Filter-Rule += "permit in 55 from any to any cnt", Filter-ID += "146", NAS-Filter-Rule += "permit in 70 from any to any cnt",
Forcing reauthentication
Syntax
A manager may force a reauthentication by using this command.
NOTE: RADIUS Filter-Rule entries are only allowed to
contain IPv6 addresses if the | |
show access-list radius
Syntax
Examples of system configuration for show running
config
ip access-list extended "104" 10 permit 20 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log exit
ip access-list extended "146" 10 permit 64 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit
ipv6 access-list "106" 10 permit 40 ::/0 ::/0 log exit
ipv6 access-list "146" 10 permit 66 ::/0 ::/0 exit
Show access-list
(NAS rule) and (filter-id)
NOTE: There is a legacy attribute named | |
Syntax
show access-list radius
Show access-list radius
(NAS rule)Radius‐configured Port‐based ACL for Port 1/1, Client ‐‐ 24BE05‐76DA40 IPv6 ACLs enabled (HP‐Nas‐Rules‐Ipv6): FALSE permit in 10 from any to any cnt Packet Hit Counter 0 permit in 20 from any to 0.0.0.0 255.255.255.255 cnt (IP ACL 104, rule 10) Packet Hit Counter 0 permit in 30 from any to any cnt Packet Hit Counter 0 permit in 40 from any to ::/0 cnt (IPv6 ACL 106, rule 10) Packet Hit Counter 0 permit in 55 from any to any cnt Packet Hit Counter 0 permit in 64 from any to 0.0.0.0 255.255.255.255 cnt (IP ACL 146, rule 10) Packet Hit Counter 0 permit in 66 from any to ::/0 cnt (IPv6 ACL 146, rule 10) Packet Hit Counter 0 permit in 70 from any to any cnt Packet Hit Counter 0
NOTE: The output will show IPv6 rules with a prefix of IPv6 and show IPv4 rules with a prefix of IP.
Log messages
Event |
Message |
---|---|
dca_filter_id_match_not_found – This event is logged when the ACL name given in a filter-id attribute does not match any existing ‘ip’ or ‘ipv6’ access-list. |
Authentication failed for client <mac> on port <port>: unknown ACL name in attribute filter-id. |
rmon_dca_acl_has_source_qualifier – This event is logged when the ACL given in a filter-id attribute contains an ACE that has a source IP address or source tcp/udp port qualifier. |
Authentication failed for client <mac> on port <port>: the ACL specified by the filter-id attribute contains a source address or application port qualifier. |
Event message
W 10/20/14 15:26:17 03214 dca: Authentication failed for client 0025618D7920 on port 1: unknown ACL name in attribute filter-id. W 10/20/14 15:26:17 03215 dca: Authentication failed for client 0025618D7920 on port 1: the ACL specified by the filter-id attribute contains a source address or application port qualifier.