HP 6200YL User Manual

Page 193

Advertising
background image

IPv6 Access Control Lists (ACLs)

Overview

If you configure 802.1X user-based security on a port and the RADIUS
response includes a RADIUS-assigned ACL for at least one authen­
ticated client, then the RADIUS response for all other clients authen­
ticated on the port

must also include a RADIUS-assigned ACL.

Inbound IP traffic on the port from a client that authenticates without
receiving a RADIUS-assigned ACL will be dropped and the client will
be de-authenticated.

Using 802.1X port-based security on a port where the RADIUS
response to a client authenticating includes a RADIUS-assigned ACL,
different results can occur, depending on whether any additional
clients attempt to use the port and whether these other clients initiate
an authentication attempt. This option is recommended for applica­
tions where only one client at a time can connect to the port, and not
recommended

for instances where multiple clients may access the

same port at the same time. For more information, refer to “802.1X
Port-Based Access Control” in the chapter titled “Configuring Port-
Based and User-Based Access Control (802.1X)” in the latest Access
Security Guide

for your switch.

Operating Notes for IPv6 Applications.

For RADIUS ACL applications using software release K.14.01 or
greater, the switch operates in a dual-stack mode, and a RADIUS-
assigned ACL filters both IPv4 and IPv6 traffic. At a minimum, a
RADIUS-assigned ACL automatically includes the implicit deny for
both IPv4 and IPv6 traffic. Thus, an ACL configured on a RADIUS
server to filter IPv4 traffic will also deny inbound IPv6 traffic from an
authenticated client unless the ACL includes ACEs that permit the
desired IPv6 traffic. The reverse is true for a dynamic ACL configured
on RADIUS server to filter IPv6 traffic. (ACLs are based on the MAC
address of the authenticating client.) Refer to the chapter titled
“Configuring RADIUS Server Support for Switch Services” in the
latest Access Security Guide for your switch.

To support authentication of IPv6 clients:

The VLAN to which the port belongs must be configured with an IPv6
address.

Connection to an IPv6-capable RADIUS server must be supported.

For 802.1X or MAC authentication methods, clients can authenticate
regardless of their IP version (IPv4 or IPv6).

8-17

Advertising
This manual is related to the following products:

8200ZL

Popular Brands
Popular manuals