50
Enhancements
Release M.10.02 Enhancements
the client MAC address is the selection criteria, only the client having that MAC address can use the
corresponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured
with that client’s credentials to the port. The ACL then filters the client’s inbound IP traffic and denies
(drops) any such traffic from the client that is not explicitly permitted by the ACL. (Every ACL ends
with an implicit deny in ip from any to any (“deny any any”) ACE that denies IP traffic not specifically
permitted by the ACL.) When the client session ends, the switch removes the RADIUS-based ACL
from the client port.
When multiple clients supported by the same RADIUS server use the same credentials, they will all
be serviced by different instances of the same ACL. (The actual traffic inbound from any client on
the switch carries a source MAC address unique to that client. The RADIUS-based ACL uses this MAC
address to identify the traffic to be filtered.)
Notes
On any ACL assigned to a port, there is an implicit deny in ip from any to any (“deny any any”) command
that results in a default action to deny any inbound IP traffic that is not specifically permitted by the
ACL. To reverse this default, use an explicit “permit any” as the last ACE in the ACL.
On a given port, RADIUS-based ACL filtering occurs only for the inbound traffic from the client whose
authentication caused a RADIUS-based ACL assignment. Inbound traffic from any other source,
including a second, authenticated client (on the same port) will be denied.
The Packet-filtering Process
Sequential Comparison and Action. When an ACL filters a packet from an authenticated client,
it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it
finds a match. The action indicated by the matching ACE (deny or permit) is then performed on the
packet.
Implicit Deny. If a packet from the authenticated client does not have a match with the criteria in
any of the ACEs in the ACL, the ACL denies (drops) the packet. If you need to override the implicit
deny so that a packet (from the authenticated client) that does not have a match will be permitted,
then you can use the “permit any” option as the last ACE in the ACL. This directs the ACL to permit
(forward) packets that do not have a match with any earlier ACE listed in the ACL, and prevents
these packets from being filtered by the implicit “deny any”. (Note that the “permit any” option applies
only to packets from the client whose authentication caused the assignment of the ACL to the port.)