Operating rules for RADIUS-assigned ACLs

  • Relating a client to a RADIUS-assigned ACL:

    A RADIUS-assigned ACL for a particular client must be configured in the RADIUS server under the authentication credentials the server should expect for that client. If the client must authenticate using 802.1X and/or web-based authentication, the username/password pair forms the credential set. If authentication is through MAC Authentication, then the client MAC address forms the credential set. See Configuring an ACL in a RADIUS server.

  • Multiple clients using the same username/password pair:

    Multiple clients using the same username/password pair will use duplicate instances of the same ACL.

  • Limits for ACEs in RADIUS-assigned ACLs:

    The switch supports up to 80 characters in a single ACE. Exceeding this limit causes the related client authentication to fail.

  • Effect of other, statically configured ACLs:
    Suppose that port B1 belongs to VLAN "Y" and has a RADIUS-assigned ACL to filter inbound traffic from an authenticated client. Port B1 is also configured with IPv4 and IPv6 static port ACLs, and VLAN "Y" is statically configured with IPv4 and IPv6 VACLs.
    • IP traffic entering the switch on port 5 from the client and having a match with a deny ACE configured in any of the ACLs mentioned above will be dropped.