Displaying the current RADIUS-assigned ACL activity on the switch

These commands output data indicating the current ACL activity imposed per-port by RADIUS server responses to client authentication.

Syntax:


show access-list radius <port-list>
For the specified ports, this command lists:
  • Whether the ACL for the indicated client is configured to filter IPv4 traffic only, or both IPv4 and IPv6 traffic. See Nas-Filter-Rule-Options for more on this topic.

  • The explicit ACEs, switch port, and client MAC address for each ACL dynamically assigned by a RADIUS server as a response to client authentication.

If cnt (counter) is included in an ACE, then the output includes the current number of inbound packet matches the switch has detected in the current session for that ACE, see ACE syntax in RADIUS servers.

Note: If there are no ACLs currently assigned to any port in <port-list>, executing this command returns only the system prompt. If a client authenticates but the server does not return a RADIUS-assigned ACL to the client port, then the server does not have a valid ACL configured and assigned to that client's authentication credentials.

Example:

The following output shows that a RADIUS server has assigned an ACL to port B1 to filter inbound traffic from an authenticated client identified by a MAC address of 00-17-A4-E6-D7-87.

A RADIUS-assigned ACL application to a currently active client session

Syntax:


show port-access <web-based|mac-based|authenticator> clients <port-list> detailed

For ports in <port-list> configured for authentication, this command shows the details of the RADIUS-assigned features listed below that are active as the result of a client authentication. (Ports in <port-list> that are not configured for authentication are not listed.)

  • Client Base Details:
    Port

    Port number of port configured for authentication.

    Session Status

    Indicates whether there is an authenticated client session active on the port. Options include authenticated and unauthenticated.

    Username

    During an authenticated session, shows the user name of the authenticated client. If the client is not authenticated, this field is empty.

    IP

    Shows the authenticated client's IP address, if available. Requires DHCP snooping enabled on the switch. When "n/a" appears in the field, the switch has not been able to acquire the client's IP address. Note: Where the client IP address is available to the switch, it can take a minute or longer for the switch to learn the address. For more on this topic, see Configuring RADIUS accounting.

    Session Time (sec)

    For an unauthenticated session, indicates the elapsed time in seconds since the client was detected on the port. For an authenticated session, this indicates the elapsed time in seconds since the client was authenticated on the port.

    MAC Address

    During an authenticated session, shows the MAC address of the authenticated client.

  • Access Policy Details:
    COS Map

    Indicates the 802.1p priority assigned by the RADIUS server for traffic inbound on the port from an authenticated client. The field shows an eight-digit value where all digits show the same, assigned 802.1p number. For example, if the assigned 802.1p value is 5, then this field shows 55555555. If an 802.1p priority has not been assigned by the RADIUS server, this field shows Not Defined.

    Untagged VLAN

    VLAN ID (VID) of the untagged VLAN currently supporting the authenticated connection.

    Tagged VLANs

    VLAN IDs (VIDs) of any tagged VLANs currently supporting the authenticated connection.

    RADIUS ACL List

    Lists the explicit ACEs in the ACL assigned to the port for the authenticated client. Includes the ACE "Hit Count" (matches) for ACEs configured with the cnt option, see ACE syntax in RADIUS servers. If a RADIUS ACL for the authenticated client is not assigned to the port, No Radius ACL List appears in this field.

    In Limit Kbps

    Indicates the ingress rate-limit assigned by the RADIUS server to the port for traffic inbound from the authenticated client. If there is no ingress rate-limit assigned, then Not Set appears in this field.

    Out Limit Kbps

    Indicates the egress rate-limit assigned by the RADIUS server to the port for traffic outbound to the authenticated client. If there is no egress rate-limit assigned, then Not Set appears in this field.

Output showing current RADIUS-applied features

switch(config)# show port-access web-based clients 10 detailed
 
 Port Access Web-Based Client Status Detailed

  Client Base Details :
  Port           : 9
  Session Status : authenticated   Session Time(sec) : 5
  Username       : acluser1        MAC Address       : 0017a4-e6d787
  IP             : n/a

  Access Policy Details :
  COS Map       : 77777777         In Limit Kbps     : 1000
  Untagged VLAN : 10               Out Limit Kbps    : Not Set
  Tagged VLANs  : 20
  RADIUS-ACL List :
     deny in 23 from any to 10.0.8.1/24 23 CNT
        Hit Count: 1
     permit in 1 from any to 10.0.10.1/24 CNT
        Hit Count: 112
     deny in udp from any to any 67-68 CNT
        Hit Count: 7
     permit in ip from any to any CNT
        Hit Count: 125
ICMP type numbers and keywords

IPv4 ICMP

IPv6 ICMP

# Keyword # Keyword

0

echo reply

1

destination unreachable

3

destination unreachable

2

packet too big

4

source quench

3

time exceeded

5

redirect

4

parameter problem

8

echo request

128

echo request

9

router advertisement

129

echo reply

10

router solicitation

130

multicast listener query

11

time-to-live exceeded

131

multicast listener reply

12

IP header bad

132

multicast listener done

13

timestamp request

133

router solicitation

14

timestamp reply

134

router advertisement

15

information request

135

neighbor solicitation

16

information reply

136

neighbor advertisement

17

address mask request

137

redirect message

18

address mask reply

138

router renumbering

   

139

icmp node information query

140

icmp node information response

141

inverse neighbor discovery solicitation message

142

inverse neighbor discovery advertisement message

143

version 2 multicast listener report

144

home agent address discovery request message

145

home agent address discovery reply message

146

mobile prefix solicitation

147

mobile prefix advertisement

148

certification path solicitation message

149

certification path advertisement message

151

multicast router advertisement

152

multicast router solicitation

153

multicast router termination