RADIUS Dynamic User-Based Policies

RADIUS Dynamic User-Based Policies is a security feature to control access services on user devices that connect to the network. Before enabling any services on the user device, the RADIUS server authenticates each device that connects to the switch port and assigns that port to a VLAN or a VLAN to I-SID binding. RADIUS Dynamic User-Based Policies implement a dynamic method to apply filter Access Control List (ACL) rules to Extensible Authentication Protocol (EAP) and Non-EAP (NEAP) authenticated user traffic. The RADIUS server authenticates the user device for switch access and sends rules for that user device to the switch.

The system clears the rules when the following events occur:

Note

Note

RADIUS Dynamic User-Based Policies support one time configuration of policy attributes on the RADIUS server and dynamically creates the policies on multiple switches within the network. This process of automatically creating policies enhances the speed of network access for authenticated users and also facilitates faster network synchronization in the event of network-wide policy changes.

Extreme Vendor ID 1916 supports the following RADIUS Vendor Specific Attribute (VSA) for RADIUS Dynamic User-Based Policies:

For more information, see RADIUS Attributes.

The RADIUS server contains the RADIUS VSAs in a configuration file for each EAP or NEAP client that the switch authenticates. Following is an example of a RADIUS VSA configured on the RADIUS server:

00000000000a Cleartext-Password :="00000000000a" 
Service-Type = Framed-User,
Framed-Protocol = PPP,
Auth-Type := Accept,
Fabric-Attach-ISID = 10:100,
Extreme-Dynamic-ACL = "CLIENT RadiusGuest",
Extreme-Dynamic-ACL += "acl inPort",
Extreme-Dynamic-ACL += "ace 1 sec name ACE-A1 ethernet ether-type eq 0x800 & action deny count & ip ip-protocol-type eq 17 & protocol dst-port eq 4000",
Extreme-Dynamic-ACL += "ace 2 sec name ACE-A2 ethernet ether-type eq ip & ip dst-ip eq 10.10.10.1 & action deny",
Extreme-Dynamic-ACL += "acl set default-action deny",

When the switch receives a new VSA with ACL and Access Control Entries (ACE) rules from the RADIUS server, the switch dynamically creates the ACL infrastructure based on the following: