Operating rules for RADIUS-assigned ACLs

  • Relating a client to a RADIUS-assigned ACLA RADIUS-assigned ACL for a particular client must be configured in the RADIUS server under the authentication credentials the server should expect for that client. If the client must authenticate using 802.1X and/or web-based authentication, the username/password pair forms the credential set. If authentication is through MAC Authentication, then the client MAC address forms the credential set. See Configuring an ACL in a RADIUS server.

  • Multiple clients using the same username/password pairMultiple clients using the same username/password pair will use duplicate instances of the same ACL.

  • Limits for ACEs in RADIUS-assigned ACLsThe switch supports up to 80 characters in a single ACE. Exceeding this limit causes the related client authentication to fail.

  • Effect of other, statically configured ACLsSuppose that port B1 belongs to VLAN "Y" and has a RADIUS-assigned ACL to filter inbound traffic from an authenticated client. Port B1 is also configured with IPv4 and IPv6 static port ACLs, and VLAN "Y" is statically configured with IPv4 and IPv6 VACLs.
    • IP traffic entering the switch on port B1 from the client and having a match with a deny ACE configured in any of the ACLs mentioned above will be dropped.

    • If an inbound RACL was also configured on VLAN "Y", then a deny match in the RACL would apply to any inbound, routed IPv4 traffic from the client (and to any inbound, switched traffic having a destination on the switch itself).

    • If an outbound RACL was also configured on VLAN "Y", then any outbound, routed IPv4 traffic leaving the switch through the port B1 would be filtered by the outbound RACL.