DELL N3000 User Manual
536
Configuring Port and System Security
• The RADIUS or 802.1X server must specify the policy to assign.
For example, if the DiffServ policy to assign is named internet_access,
include the following attribute in the RADIUS or 802.1X server
configuration:
Filter-id = “internet_access”
Filter-id = “internet_access”
• The DiffServ policy specified in the attribute must already be configured
on the switch, and the policy names must be identical.
For information about configuring a DiffServ policy, see "DiffServ
For information about configuring a DiffServ policy, see "DiffServ
Equal Access to External Network" on page 1307, describes how to
configure a policy named internet_access.
If you use an authentication server to assign DiffServ policies to an
authenticated user, note the following guidelines:
• If the policy specified within the server attribute does not exist on the
switch, authentication will fail.
• Do not delete policies used as the filter ID in the RADIUS server while
802.1X is enabled.
• Do not use the DiffServ
service-policy command to apply the filter to an
interface if you configure the RADIUS server or 802.1X authenticator to
assign the DiffServ filter.
In the following example, Company XYZ uses IEEE 802.1X to authenticate
all users. Contractors and temporary employees at Company XYZ are not
permitted to have access to SSH ports, and data rates for Web traffic is
limited. When a contractor is authenticated by the RADIUS server, the server
assigns a DiffServ policy to control the traffic restrictions.
The network administrator configures two DiffServ classes:
The network administrator configures two DiffServ classes:
cl-ssh and cl-http.
The class
cl-ssh matches all incoming SSH packets. The class cl-http matches
all incoming HTTP packets. Then, the administrator configures a traffic
policy called
con-pol and adds the cl-ssh and cl-http. The policy is configured
so that that SSH packets are to be dropped, and HTTP data rates are limited
to 1 MB with a burst size of 64 Kbps. HTTP traffic that exceeds the limit is
dropped. The host ports, ports 1–23, are configured to use MAC-based dot1x
authentication to allow the DiffServ policy to be applied. Finally, the
administrator configures the RADIUS server with the attribute Filter-id =
“con-pol”.