User-based Dynamic Access Control Lists (ACL)

The user-based dynamic policy access control lists (ACL) feature uses the existing RADIUS Access-Accept and change of authorization (CoA) mechanism to override existing policy rules associated with a user by including a new vendor specific attribute (VSA) in the CoA and Access-Accept. When a CoA request or Access-Accept response to apply a particular set of match conditions and actions (or an action-set) is received, a look-up is performed to determine which policy profile the specified user was authenticated in, and the action-set ID specified in the CoA/Access-Accept is applied in that user‘s profile.

Note

You must configure VCAP partitioning to use dynamic ACL (see VCAP Partitioning).

If ACL style policy is not selected, or if the specified action-set does not exist, or if insufficient resources are available, the dynamic ACL rules are not applied and a NAK response to the RADIUS CoA request are returned. The maximum number of Dynamic ACL rules per user is 64. Access-Accept can include multiple adds using the += operation (this operation is not supported as part of RADIUS CoA request). Access-Accept usage does not support delete operation is ignored. Dynamic ACL rules can be deleted using an explicit CoA delete or are deleted when the dynamic session associated with the user is deleted.

Note

The maximum length of a RADIUS packet size is 4096 (both UDP and TLS), which can prevent the Dynamic ACLs from being sent to get trimmed via VSA 232 due to the lengthier ACL lists.

Dynamic ACLs and Layer 7 policy share the slices not used by TCI overwrite-enabled as one shared resource pool (see VCAP Partitioning). Dynamic ACLs have a higher priority to override Layer 7 policy (DNS) entry matches.

Beginning with Release 32.1, masking IPv4 addresses, L4 ports, and IP protocol numbers are supported. The mask is a required value and must be greater than zero and less than or equal to the maximum number of bits in the field being masked. For example, an IPv4 address mask value must be between 1 and 32.

The following match conditions can be used with user-based ACLs:

ipv4src ipv4source/mask-length
ipv4dst ipv4dest/mask-length
ipproto ipproto (TCP, UDP, ICMP, or protocol number)
l4srcport l4sourceport/mask-length (requires ipproto; range is role-based only with no mask)
l4dstport l4destport-i4sourceportend/mask-length (requires ipproto; range is role-based only with no mask)
ether (role-based only)
any

The following actions can be used:

CoS (not valid if “drop” is specified)
Drop (not valid if “forward” is specified)
Forward (not valid if “drop” is specified)
Syslog
Mirror

To see an example of dynamic ACL VSA string, see Example Dynamic ACL VSA String.

Supported Platforms

All ExtremeSwitching Universal platforms.

Limitations

Dynamic Access-List is not supported on the 5520 switch.
DNS is not supported on Extended Edge switches with Controlling Bridges on the ExtremeSwitching 5420 and 5520 series switch.
ACL style policy must be selected.
Only a subset of the existing policy rules is allowed.
SNMP is not supported.

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services

User-based Dynamic Access Control Lists (ACL)

Supported Platforms

Limitations