Access Control Lists (ACLs) can be used to prohibit or allow data traffic on a switch. To avoid having to configure the ACL individually on each switch, it can be obtained dynamically from a RADIUS server (Dynamic ACL).
This article describes how to configure the retrieval of Dynamic ACLs on an XS or GS-45xx series switch.
Dynamic ACLS must be specified on the RADIUS server using the LANCOM ACL syntax. Examples: Allow DHCP: Prohibit IP address: Allow all others: |
The RADIUS server integrated in LCOS does not support Dynamic ACL and therefore cannot be used in such a scenario. |
1) Connect to the web interface of the device and navigate to the menu System → AAA → Authentication List.
2) Select the entry dot1xList and then click Edit.
3) Under Available Methods select the option Radius and click the upper “arrow” icon to move it into the Selected Methods. Then click Submit.
The option Radius must be stored here, otherwise the switch will not forward the RADIUS requests to the RADIUS server. |
4) Go to the menu Security → Port Access Control → Configuration.
5) Under Admin mode, select the option Enable and click Submit.
6) Go to the menu Security → RADIUS → Named Server.
7) Click Add to add a RADIUS server.
8) Modify the following parameters and then click Submit:
9) Change to the menu Security → Authentication Manager → Interface Configuration.
At this point, under no circumstances should the Admin Mode under Security → Authentication Manager → Configuration be activated (Enable), because authentication is enabled globally for all ports. Otherwise, configuration access to the switch is no longer possible! |
The status of the Named Server under Current only changes to True when the switch receives a RADIUS request.
|
10) Select the interface used for configuration access (in this example the port 1/0/9), under Control Mode select the option Force Authorized and click Submit. With this setting, no authentication is performed on this port.
Select Force Authorized for all ports on which no authentication should be performed. |
11) Select a port on which authentication should be performed (in this example 1/0/10), adjust the following parameters and click Submit:
Since Dynamic ACLs are usually used to deny or allow data traffic to individual devices, this example has the Host Mode set to Single Authentication. If several devices are to be connected to this port (e.g. via an access point), the mode Multiple Domain/Host is required. |
12) On the Configuration tab, set the Admin Mode to the option Enable and click Submit.
13) Click on Save Configuration in the top right-hand corner to save the configuration as the start configuration.
The start configuration is retained even if the device is restarted or there is a power failure. As an alternative, the current configuration can be saved as the start configuration from the command line with the command write memory. |
14) Confirm your changes by clicking OK.
