On EAP-enabled ports, this attribute assigns a dynamic ACL for an EAP-enabled port. The dynamic behavior of the ACL depends on the EAP port state (MHMV or MHSA).
defined under Extreme Networks vendor ID 1916 and uses the value 251
For more information, see RADIUS Dynamic User-Based Policies.
The following examples provide the RADIUS configuration for the corresponding CLI filter configuration. This example is for MAC 0a:0a:0a:0a:0a:0a on port 1/1 and EAP is in MHMV mode.
filter acl 1 type inPort filter acl port 1 1/1 filter acl ace 1 1 name RadiusGuest-Rule01 filter acl ace ethernet 1 1 src-mac eq 0a:0a:0a:0a:0a:0a filter acl ace ethernet 1 1 ether-type eq 0x800 filter acl ace ip 1 1 ip-protocol-type eq 17 filter acl ace protocol 1 1 dst-port eq 53 filter acl ace 1 1 action permit filter acl ace 1 1 enable filter acl ace 1 2 name RadiusGuest-Rule02 filter acl ace ethernet 1 2 src-mac eq 0a:0a:0a:0a:0a:0a filter acl ace ethernet 1 2 ether-type eq 0x800 filter acl ace ip 1 2 dst-ip mask 192.0.2.1 24 filter acl ace 1 2 action permit filter acl ace 1 2 enable filter acl ace 1 3 name RadiusGuest-Rule03 filter acl ace ethernet 1 3 src-mac eq 0a:0a:0a:0a:0a:0a filter acl ace 1 3 action deny filter acl ace 1 3 enable
The RADIUS VSA does not specify the MAC or the port number because they are already known at the EAP level.
Extreme-Dynamic-ACL = "CLIENT RadiusGuest", Extreme-Dynamic-ACL += "acl inPort", Extreme-Dynamic-ACL += “ace 1 sec ethernet ether-type eq 0x800 & ip ip-protocol-type eq 17 & protocol dst-port eq 53 action permit", Extreme-Dynamic-ACL += “ace 2 sec ethernet ether-type eq 0x800 & ip dst-ip mask 192.0.2.1 24 action permit", Extreme-Dynamic-ACL += “ace 3 sec action deny"
Extreme-Dynamic-ACL = “ace 1 qos action permit internal-qos 5 remark-dot1p 5 remark-dscp phbaf41 & ethernet ether-type eq 0x800”, Extreme-Dynamic-ACL += “acl set default-action permit”