IP traffic filter rules, also known as IP ACLs, provide a user access policy that defines what IP traffic from the user is permitted. IP ACLs can be specified in two ways:
Filter-id attributes and NAS-Filter-Rule attributes may be intermixed in the RADIUS user entry. Filter-id attributes are expanded as they are read so they are added to the ACL in the correct order.
|
|
NOTE: This feature does not modify any existing commands. CLI |
|
|
A filter-id name may refer to an IPv4 ACL, an IPv6 ACL, or both. ACLs for both families are checked and expanded if found. All other ACL types, including MAC and router ACLs, are ignored when processing filter-id attributes. Any number of filter-id attributes may be specified subject to length limitations of a RADIUS packet. The limit for all platforms is 100 ACEs per client ACL.
RADIUS user entry
NAS-Filter-Rule += "permit in 10 from any to any cnt", Filter-ID += "104", NAS-Filter-Rule += "permit in 30 from any to any cnt", Filter-ID += "106", NAS-Filter-Rule += "permit in 55 from any to any cnt", Filter-ID += "146", NAS-Filter-Rule += "permit in 70 from any to any cnt",
Syntax:
A manager may force a reauthentication by using this command.
|
|
NOTE: RADIUS Filter-Rule entries are only allowed to contain IPv6 addresses if the |
|
|
Syntax:
System configuration for show running config
ip access-list extended "104" 10 permit 20 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 log exit
ip access-list extended "146" 10 permit 64 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit
ipv6 access-list "106" 10 permit 40 ::/0 ::/0 log exit
ipv6 access-list "146" 10 permit 66 ::/0 ::/0 exit
|
|
NOTE: There is a legacy attribute named |
|
|
Syntax:
show access-list radius
(NAS rule)Radius‐configured Port‐based ACL for Port 1/1, Client ‐‐ 24BE05‐76DA40 IPv6 ACLs enabled (HP‐Nas‐Rules‐Ipv6): FALSE permit in 10 from any to any cnt Packet Hit Counter 0 permit in 20 from any to 0.0.0.0 255.255.255.255 cnt (IP ACL 104, rule 10) Packet Hit Counter 0 permit in 30 from any to any cnt Packet Hit Counter 0 permit in 40 from any to ::/0 cnt (IPv6 ACL 106, rule 10) Packet Hit Counter 0 permit in 55 from any to any cnt Packet Hit Counter 0 permit in 64 from any to 0.0.0.0 255.255.255.255 cnt (IP ACL 146, rule 10) Packet Hit Counter 0 permit in 66 from any to ::/0 cnt (IPv6 ACL 146, rule 10) Packet Hit Counter 0 permit in 70 from any to any cnt Packet Hit Counter 0
NOTE: The ouput shows IPv6 rules with a prefix of IPv6 and shows IPv4 rules with a prefix of IP.
Event |
Message |
---|---|
dca_filter_id_match_not_found – This event is logged when the ACL name given in a filter-id attribute does not match any existing ‘ip’ or ‘ipv6’ access-list. |
Authentication failed for client <mac> on port <port>: unknown ACL name in attribute filter-id. |
rmon_dca_acl_has_source_qualifier – This event is logged when the ACL given in a filter-id attribute contains an ACE that has a source IP address or source tcp/udp port qualifier. |
Authentication failed for client <mac> on port <port>: the ACL specified by the filter-id attribute contains a source address or application port qualifier. |
Event message
W 10/20/14 15:26:17 03214 dca: Authentication failed for client 0025618D7920 on port 1: unknown ACL name in attribute filter-id. W 10/20/14 15:26:17 03215 dca: Authentication failed for client 0025618D7920 on port 1: the ACL specified by the filter-id attribute contains a source address or application port qualifier.