Freeradius configuration examples for switch dynamic ACLs.

CpServiceSPb cpservicespb at gmail.com
Sun Oct 3 23:14:37 CEST 2021


 There is Freeradius 3.0.23 on Ubuntu 18.04LTS x64 and some HPE and
Mikrotik managed switches with HP-NAS-Filter-Rule and
Mikrotik-Switching-Filter Radius attributes (rfc4849) supporting.

I want to restrict src-address for each switch physical port after success
authentication, for example:
- switch port 1, MAC a1:b1:c1:d1:e1:f1 - allowing src IP is 192.168.0.20
only, all other IPs are denied;
- switch port 2, MAC a2:b2:c2:d2:e2:f2 - allowing src IP is 192.168.0.30
only, all other IPs are denied;
- switch ports 3-16, MAC a3:b3:c3:d3:e3:f3 - allowing src IP is
192.168.0.40 only, all other IPs are denied.

May somebody tell where, which configuration files, should some attributes
looks like
HP-NAS-Filter-Rule = "allow port 1 MAC a1:b1:c1:d1:e1:f1 src-IP
192.168.0.20 dst-IP any"
HP-NAS-Filter-Rule += "allow port2 MAC a2:b2:c2:d2:e2:f2 src-IP
192.168.0.30 dst-IP any"
HP-NAS-Filter-Rule += "allow port3 MAC a3:b3:c3:d3:e3:f3 src-IP
192.168.0.30 dst-IP any"
....
NAS-Filter-Rule += "allow port16 MAC a3:b3:c3:d3:e3:f3 src-IP 192.168.0.30
dst-IP any"
to be added to ?

And what format is it ?


More information about the Freeradius-Users mailing list