Dynamic Access Control Lists (ACL)
The dynamic policy access control lists (ACL) feature uses the existing RADIUS
Access-Accept and change of authorization (CoA) mechanism to override existing policy
rules associated with a user by including a new vendor specific attribute (VSA) in the
CoA and Access-Accept. When a CoA request or Access-Accept response to apply a
particular set of match conditions and actions (or an action-set) is received, a look-up
is performed to determine which policy profile the specified user was authenticated in,
and the action-set ID specified in the CoA/Access-Accept is applied in that user‘s
profile.
Note
You must configure VCAP
partitioning to use dynamic ACL (see
VCAP Partitioning).
If ACL style policy is not selected, or if the specified action-set does not
exist, or if insufficient resources are available, the dynamic ACL rules are not applied
and a NAK response to the RADIUS CoA request are returned. The maximum number of Dynamic
ACL rules per user is 64. Access-Accept can include multiple adds using the += operation (this
operation is not supported as part of RADIUS CoA request). Access-Accept usage does not
support delete operation is ignored. Dynamic ACL rules can be deleted usin an explicit
CoA delete or are deleted when the dynamic session associated with the user is deleted.
Note
The maximum length of a RADIUS packet size is 4096 (both UDP and TLS),
which can prevent the Dynamic ACLs from being sent to get trimmed via VSA 232 due to the
lengthier ACL lists.
Dynamic ACLs and Layer 7 policy share the slices not used by TCI
overwrite-enabled as one shared resource pool (see VCAP Partitioning). Dynamic ACLs have a higher priority to override Layer 7 policy
(DNS) entry matches.
The following match conditions can be used:
- ipv4src ipv4source/mask-length
- ipv4dst ipv4dest/mask-length
- ipproto ipproto
(TCP or UDP)
- l4srcport l4sourceport/mask-length
(requires ipproto)
- l4dstport l4destport/mask-length
(requires ipproto)
The following actions can be used:
- CoS (not valid if “drop” is
specified)
- Drop (not valid if “forward” is
specified)
- Forward (not valid if “drop” is
specified)
- Syslog
- Mirror
To see an example of dynamic ACL VSA string, see Example Dynamic ACL VSA String.
Supported Platforms
ExtremeSwitching
X450-G2, X460-G2, X670-G2, X440-G2, X465, X590, X620, X690, X695, X870, 5320, 5420, 5520 series switches.
Limitations
- TCI overwrite is not
supported on X435 switches.
- Layer 7 policy (DNS)
is not supported on X435 switches.
- Dynamic Access-List is
not supported on X435 and 5520 switches.
- DNS is not supported on Extended Edge switches with Controlling
Bridges on ExtremeSwitching X695, 5320, 5420, and 5520 series switches.
- ACL style policy must be
selected.
- Only a subset of the existing
policy rules is allowed.
- SNMP is not supported.
- Controlling Bridge
does not support tci-overwrite on policy profiles for ExtremeSwitching X695,
5420, and 5520 series switches.
