How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port

A RADIUS-assigned ACL configured on a RADIUS server is identified and invoked by the unique credentials (username/password pair or a client MAC address) of the specific client the ACL is intended to service. Where the username/password pair is the selection criteria, the corresponding ACL can also be used for a group of clients that all require the same ACL policy and use the same username/password pair. Where the client MAC address is the selection criteria, only the client having that MAC address can use the corresponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured with that client's credentials to the client's port. The ACL then filters the client's inbound IP traffic and denies (drops) any such traffic that is not explicitly permitted by the ACL.

  • If the filter rule used for a RADIUS-based ACL is one of the options that specifies only IPv4 traffic, then the ACL will implicitly deny any inbound IPv6 traffic from the authenticated client.

  • If the filter rule used for a RADIUS-based ACL is the option for specifying both IPv4 and IPv6 traffic, then the ACL filter both IP traffic types according to the ACEs included in the RADIUS-assigned ACL.

When the client session ends, the switch removes the RADIUS-assigned ACL from the client port.

Implicit Deny

Every RADIUS-assigned ACL ends with an implicit deny in ACE for both IPv4 and IPv6 traffic. This implicit ACE denies any IP traffic that is not specifically permitted. To override this default, configure an explicit permit in ip from any to any as the ACL's last explicit ACE.

Multiple clients in a RADIUS-assigned ACL environment

Where multiple clients are authenticated on the same port, if any of the clients has a RADIUS-assigned ACL, then all of the authenticated clients on the port must have a RADIUS-assigned ACL. In this case, the switch drops the IP traffic from any authenticated client that does not have a RADIUS-assigned ACL, and deauthenticates that client.