Description:
Access Control Lists (ACLs) can be used to prohibit or allow data traffic on a switch. To avoid having to configure the ACL individually on each switch, it can be obtained dynamically from a RADIUS server (Dynamic ACL).
This article describes how to configure the retrieval of Dynamic ACLs on an XS or GS-45xx series switch.
Dynamic ACLS must be specified on the RADIUS server using the LANCOM ACL syntax.
Examples:
Allow DHCP:
permit udp any any range 67 68
Prohibit IP address:
deny ip any 192.168.2.10 255.255.255.255
Allow all others:
permit every
Requirements:
- LCOS SX as of version 5.20 RU8 (download latest version)
- Any web browser for accessing the switch web interface
- Previously configured and functional RADIUS server to supply the Dynamic ACL
The RADIUS server integrated in LCOS does not support Dynamic ACL and therefore cannot be used in such a scenario.
Procedure:
1) Connect to the web interface of the device and navigate to the menu System → AAA → Authentication List.
2) Select the entry dot1xList and then click Edit.
3) Under Available Methods select the option Radius and click the upper “arrow” icon to move it into the Selected Methods. Then click Submit.
The option Radius must be stored here, otherwise the switch will not forward the RADIUS requests to the RADIUS server.
4) Go to the menu Security → Port Access Control → Configuration.
5) Under Admin mode, select the option Enable and click Submit.
6) Go to the menu Security → RADIUS → Named Server.
7) Click Add to add a RADIUS server.
8) Modify the following parameters and then click Submit:
- IP Address/Host Name: Enter the IP address or host name of the RADIUS server from which the switch obtains the Dynamic ACL.
- Server Name: If necessary, adjust the name for the RADIUS server (in this example the name was left as the default setting Default-RADIUS-Server).
- Port Number: Leave the RADIUS port as the default value 1812.
- Secret: Enter the Client Secret set on the RADIUS server.
- Server Type: Select the option Primary.
- Message Authenticator: Check that the option Enabled is selected.
9) Change to the menu Security → Authentication Manager → Interface Configuration.
At this point, under no circumstances should the Admin Mode under Security → Authentication Manager → Configuration be activated (Enable), because authentication is enabled globally for all ports. Otherwise, configuration access to the switch is no longer possible!
The status of the Named Server under Current only changes to True when the switch receives a RADIUS request.
10) Select the interface used for configuration access (in this example the port 1/0/9), under Control Mode select the option Force Authorized and click Submit. With this setting, no authentication is performed on this port.
Select Force Authorized for all ports on which no authentication should be performed.
11) Select a port on which authentication should be performed (in this example 1/0/10), adjust the following parameters and click Submit:
- Make sure that the Control Mode option is set to Auto. This means that no communication is possible via the port until the connected network participant has authenticated itself.
- Under Host Mode, select the authentication method Single Authentication. This means that only one network participant can communicate via this port.
Since Dynamic ACLs are usually used to deny or allow data traffic to individual devices, this example has the Host Mode set to Single Authentication. If several devices are to be connected to this port (e.g. via an access point), the mode Multiple Domain/Host is required.
12) On the Configuration tab, set the Admin Mode to the option Enable and click Submit.
13) Click on Save Configuration in the top right-hand corner to save the configuration as the start configuration.
The start configuration is retained even if the device is restarted or there is a power failure.
As an alternative, the current configuration can be saved as the start configuration from the command line with the command write memory.
14) Confirm your changes by clicking OK.
