RADIUS Dynamic User-Based Policies is a security feature to control access services on user devices that connect to the network. Before enabling any services on the user device, the RADIUS server authenticates each device that connects to the switch port and assigns that port to a VLAN or a VLAN to I-SID binding. RADIUS Dynamic User-Based Policies implement a dynamic method to apply filter Access Control List (ACL) rules to Extensible Authentication Protocol (EAP) and Non-EAP (NEAP) authenticated user traffic. The RADIUS server authenticates the user device for switch access and sends rules for that user device to the switch.
The system clears the rules when the following events occur:
You disable EAPoL globally on the switch.
EAP and NEAP sessions are cleared.
You shutdown the port.
Note
You must enable RADIUS and EAP over LAN (EAPoL) on the switch. For more information, see Enable RADIUS Authentication and Globally Enable EAP on the Device.
RADIUS Dynamic User-Based Policies support one time configuration of policy attributes on the RADIUS server and dynamically creates the policies on multiple switches within the network. This process of automatically creating policies enhances the speed of network access for authenticated users and also facilitates faster network synchronization in the event of network-wide policy changes.
Extreme Vendor ID 1916 supports the following RADIUS Vendor Specific Attribute (VSA) for RADIUS Dynamic User-Based Policies:
Extreme-Dynamic-ACL (ID 251)
For more information, see RADIUS Attributes.
The RADIUS server contains the RADIUS VSAs in a configuration file for each EAP or NEAP client that the switch authenticates. Following is an example of a RADIUS VSA configured on the RADIUS server:
00000000000a Cleartext-Password :="00000000000a" Service-Type = Framed-User, Framed-Protocol = PPP, Auth-Type := Accept, Fabric-Attach-ISID = 10:100, Extreme-Dynamic-ACL = CLIENT RadiusGuest Extreme-Dynamic-ACL = acl inPort Extreme-Dynamic-ACL = ace 1 sec name ACE-A1 ethernet ether-type eq 0x800 & action deny count & ip ipprotocol-type eq 17 & protocol dst-port eq 4000 Extreme-Dynamic-ACL = ace 2 sec name ACE-A2 ethernet ether-type eq ip & ip dst-ip eq 10.10.10.1 & action deny Extreme-Dynamic-ACL = acl set default-action deny
When the switch receives a new VSA with ACL and Access Control Entries (ACE) rules from the RADIUS server, the switch dynamically creates the ACL infrastructure based on the following:
Dynamic ACLs - the switch allocates one dynamic ACL for each EAP enabled port. You cannot manually configure the dynamic ACL. The dynamic behavior of the ACL depends on the EAP port state (MHMV or MHSA). RADIUS Dynamic User-Based Policies support the inPort and outPort ACL types. You can display the filter ACL configuration on the switch using the show filter acl command, to identify the source of ACL configuration (static or dynamic).
Dynamic ACEs - after the switch configures an ACL as dynamic, the system automatically considers the ACEs in that ACL as dynamic. You cannot manually configure the ACEs in a dynamic ACL. When the switch receives an ACE rule from the RADIUS server, the system allocates an ACE ID to it. Each ACE rule carries a relative order that helps the switch to set priority for the ACE rules that the switch receives. For handling of Radius ACL rules, the switch parses the rules first. Based on the actions, the system classifies the rules as security ACEs or QoS ACEs. If the switch is unable to recognize the qualifiers or actions in a rule, then the switch ignores that rule.
Multiple Host Multiple VLAN (MHMV) operating mode - the system authenticates each MAC that the switch receives on the EAP-enabled port and assigns the MAC to a specific VLAN or VLAN to I-SID binding. The system uses the VLAN to I-SID binding when Flex UNI is enabled on a port. The system processes the ACE rules that the switch receives from the RADIUS server on a per MAC basis, the system translates the default-action into an ACE rule with actions, deny or permit. When the switch processes the RADIUS VSAs, the system adds the MAC as a qualifier for each ACE rule.
Multiple Host Single Authentication (MHSA) operating mode - the system processes the ACE rules that it receives from the RADIUS server on a per port basis.