Using the standard attribute in an IPv4 ACL (example)

The Standard attribute (92), when used in an ACL without the HP-Nas-Rules-IPv6 VSA, filters IPv4 traffic inbound from the authenticated client. (Any IPv6 traffic inbound from the client is dropped.) This example illustrates configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS using the standard attribute for two different client identification methods (username/password and MAC address).

Procedure
  1. Enter the ACL standard attribute in the FreeRADIUS dictionary.rfc4849 file.
    ATTRIBUTE       Nas-FILTER-Rule 92
  2. Enter the switch IP address, NAS (Network Attached Server) type, and the key used in the FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125 and the key ("secret") is "1234", you would enter the following in the server's clients.conf file:
    Switch identity information for a freeRADIUS application
  3. For a given client username/password pair or MAC address, create an ACL by entering one or more ACEs in the FreeRADIUS "users" file.

    Remember that every ACL created automatically includes an implicit deny in ip from any to any ACE.

    For example, to create identical ACL support for the following:

    • Client having a username of "mobilE011" and a password of "run10kFast"

    • Client having a MAC address of 08 E9 9C 4F 00 19

    The ACL in this example must achieve the following:

    • Permit http (TCP port 80) traffic from the client to the device at 10.10.10.101

    • Deny http (TCP port 80) traffic from the client to all other devices

    • Permit all other traffic from the client to all other devices

    To configure the above ACL, enter the username/password and ACE information shown in Configuring the FreeRADIUS server to support ACLs for the indicated clients.

    NOTE:

    For information on syntax details for RADIUS-assigned ACLs, see Using HPE VSA 63 to assign IPv6 and IPv4 ACLs (example).

    Configuring the FreeRADIUS server to support ACLs for the indicated clients