ACE syntax in RADIUS servers

The following information describes ACE syntax configuration options in a RADIUS server.

ACE syntax (standard attribute-92)


Nas-filter-Rule =" {<permit | permit>} in {<ip | ip-protocol-value>} from any to {<any | host | <ip-addr> | ipv4-addr/mask | IPv6-address/prefix>} [{<tcp/udp-port | tcp/udp-port range>}] [cnt] "

IPv6 VSA for standard attribute


[HP-Nas-Rules-IPv6= | <1 | 2>]

For an example of how to apply this VSA, see Configuring a FreeRADIUS server to filter IPv4 and IPv6 traffic for a client with correct credentials..

ACE syntax (legacy VSA-61)


Nas-filter-Rule =" {<permit | permit>} in {<ip | ip-protocol-value>} from any to {<any | host | <ip-addr> | ipv4-addr/mask | IPv6-address/prefix>} [{<tcp/udp-port | tcp/udp-port range>}] [cnt"]
This command specifies the standard attribute for filtering inbound IPv4 traffic from an authenticated client. When used without the VSA option (below) for filtering inbound IPv6 traffic from the client, drops the IPv6 traffic. See also Nas-filter-Rule attributes.

[HP-Nas-Rules-IPv6= | <1 | 2>]
You use the VSA in an ACL intended to filter IPv6 traffic. Settings include:
  • 1: ACE filters both IPv4 and IPv6 traffic.

  • 2: ACE filters IPv4 traffic and drops IPv6 traffic.

  • VSA not used: ACE filters IPv4 traffic and drops IPv6 traffic.

This VSA must be present in an ACL where the Nas-filter-Rule= attribute is intended to filter inbound IPv6 traffic from an authenticated client. See also Nas-filter-Rule attributes. HP-Nas-filter-Rule=Legacy VSA for filtering inbound IPv4 traffic only from an authenticated client. Drops inbound IPv6 traffic from the client. See also Nas-filter-Rule attributes.Must be used to enclose and identify a complete permit or deny ACE syntax statement. For example:
Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"

{<permit | deny>}
Specifies whether to forward or drop the identified IP traffic type from the authenticated client. (For information on explicitly permitting or denying all inbound IP traffic from an authenticated client, or for implicitly denying all such IP traffic not already permitted or denied, see Configuration notes.)inRequired keyword specifying that the ACL applies only to the traffic inbound from the authenticated client.

{<ip | ip-protocol-value>}
Options for specifying the type of traffic to filter.ipApplies the ACE to all IP traffic from the authenticated client.ip-protocol-valueThis option applies the ACE to the type of IP traffic specified by either a protocol number or by tcp , udp ,icmp, or (for IPv4-only) igmp. The range of protocol numbers is 0-255. (Protocol numbers are defined in RFC 2780. For a complete listing, see "Protocol Registries" on the Web site of the Internet Assigned Numbers Authority at www.iana.com). Some examples of protocol numbers include:1=ICMP 17=UDP 2=IGMP (IPv4 only) 41=IPv66=TCPfrom anyRequired keywords specifying the (authenticated) client source. (Note that a RADIUS-assigned ACL assigned to a port filters only the inbound traffic having a source MAC address that matches the MAC address of the client whose authentication invoked the ACL assignment.)toRequired destination keyword. any
  • Specifies any IPv4 destination address if one of the following is true:
    • the ACE uses the standard attribute ( Nas-filter-Rule) and the IPv6 VSA ( HP-Nas-Rules-IPv6) is not included the ACL. For example:
      Nas-filter-Rule="permit in tcp from any to any 23"
      Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
      Nas-filter-Rule+="deny in ip from any to any"
    • the ACE uses the standard attribute ( Nas-filter-Rule)and the IPv6 VSA ( HP-Nas-Rules-IPv6) is included in the ACL with an integer setting of 2. For example, all of the following destinations are for IPv4 traffic:
      HP-Nas-Rules-IPv6=2
      Nas-filter-Rule="permit in tcp from any to any 23"
      Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
      Nas-filter-Rule+="deny in ip from any to any"
    • the HP-Nas-Filter-Rule VSA is used instead of either of the above options. For example, all of the following destinations are for IPv4 traffic:
      HP-Nas-filter-Rule="permit in tcp from any to any 23"
      HP-Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
      HP-Nas-filter-Rule+="deny in ip from any to any"
  • Specifies any IPv4 or IPv6 destination address if the ACL uses the HP-Nas-Rules-IPv6 VSA with an integer setting of 1. See Nas-filter-Rule attributes. For example, the any destinations in the following ACL apply to both IPv4 and IPv6 traffic:
    HP-Nas-Rules-IPv6=1Nas-filter-Rule="permit in tcp from any to any 23"
    Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
    Nas-filter-Rule+="permit in ip from any to fe80::d1:1/120"
    Nas-filter-Rule+="deny in ip from any to any"
host <ipv4-addr>Specifies a single destination IPv4 address.<ipv4-addr/<mask>Specifies a series of contiguous destination addresses or all destination addresses in a subnet. The <mask> is CIDR notation for the number of leftmost bits in a packet's destination IPv4 address that must match the corresponding bits in the destination IPv4 address listed in the ACE. For example, a destination of 10.100.17.1/24 in the ACE means that a match occurs when an inbound packet (of the designated IPv4 type) from the authenticated client has a destination IPv4 address where the first three octets are 10.100.17. (The fourth octet is a wildcard, and can be any value up to 255.)host <ipv6-addr>Specifies a single destination IPv6 address. Note: Filtering IPv6 traffic requires the Standard Attribute(Nas-Filter-Rule)with the HP-Nas-Rules-IPv6 VSA set to 1. See Nas-filter-Rule attributes. <ipv6-addr/<prefix>Specifies a series of contiguous destination addresses or all destination addresses in a subnet. The <prefix> specifies the number of leftmost bits in a packet's destination IPv6 address that must match the corresponding bits in the destination IPv6 address listed in the ACE. For example, a destination of FE80::1b:127/112 in the ACE means that a match occurs when an inbound packet (of the designated IPv6 type) from the authenticated client has a destination IPv6 address where the first 112 are FE80::1b. (The last 16 bits in the address configured in the ACE form a "wildcard", and can be any value from 0 to FFFF.) Also, see Note, above.

[tcp/udp-port | tcp/udp-port-range]
Optional TCP or UDP port specifier. Used when the ACE is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers. You can specify port numbers as individual values and ranges. For example, the following ACE shows two ways to deny any UDP traffic from an authenticated client that has a DA of any address and a UDP destination port of 135, 137-139, or 445:
deny in udp from any to any 135, 137-139, 445
deny in 17 from any to any 135, 137-139, 445

[icmp-type | icmpv6-type]
Optional ICMP type specifier. This can be either a keyword or an ICMP type number.
[ cnt ]

Optional counter specifier for a RADIUS-assigned ACE. When used, the counter increments each time there is a "match" with the ACE. This option does not require that you configure the switch for RADIUS accounting.