Support for dACL on HP 5130 switches

Dinesh4 · 2 weeks ago

Hi Experts,

I am running following:

<NAC-5130-2>dis version
HPE Comware Software, Version 7.1.070, Release 3208P03
Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP
HPE 5130 48G PoE+ 4SFP+ EI Switch uptime is 6 weeks, 5 days, 22 hours, 13 minutes
Last reboot reason : User reboot

Boot image: flash:/5130ei-cmw710-boot-r3208p03.bin
Boot image version: 7.1.070, Release 3208P03
Compiled Dec 14 2017 18:00:00
System image: flash:/5130ei-cmw710-system-r3208p03.bin
System image version: 7.1.070, Release 3208P03
Compiled Dec 14 2017 18:00:00

Slot 1:
Uptime is 6 weeks,5 days,22 hours,13 minutes
5130-48G-PoE+-4SFP+ (370W) EI JG937A with 1 Processor
BOARD TYPE: 5130-48G-PoE+-4SFP+ (370W) EI JG937A
DRAM: 1024M bytes
FLASH: 512M bytes
PCB 1 Version: VER.B
Bootrom Version: 147
CPLD 1 Version: 002
Release Version: HPE 5130 48G PoE+ 4SFP+ EI JG937A-3208P03
Patch Version : None
Reboot Cause : UserReboot
[SubSlot 0] 48GE+4SFP Plus

We are implementing Cisco NAC solution and there is use case where we would be pushing dACL from Cisco NAC solution to the switch.
To test this out I tried to push dACL using the nas-filter-rule as well as HP-Nas-filter-Rule.

Cisco NAC pushed the rule from the attribute using the Authz Profile, but there was nothing seen on the switch.
How do I check if the dACL has been pushed on switch?
Or if this model and version of switch and OS does not support dACL?

Any pointers much appreciated.

aybra · 2 weeks ago

Hello

You can specify an ACL for an 802.1X user to control its access to network resources. After the user
passes 802.1X authentication, the authentication server assigns the ACL to the access port to filter traffic
from this user. The authentication server can be the local access device or a RADIUS server. In either case,
you must configure the ACL on the access device.
To ensure a successful ACL assignment, make sure the ACL does not contain rules that match source MAC
addresses .

I am an HPE Employee

Accept or Kudo

Dinesh4 · 2 weeks ago

Is there is option that I can use to push any additional ACL using Radius server, as you can do in case of Aruba switches?
Configured this way on Cisco NAC:

dACL on HP.JPG

As like I can see here in this output:

2930F-VSF# show port-access authenticator clients ethernet 1/5 detailed

Port Access Authenticator Client Status Detailed

Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Use LLDP data to authenticate [No] : No

Client Base Details :
   Port            : 1/5
   Client Status   : Authenticated         Session Time    : 15 seconds
   Client name     : enguyend              Session Timeout : 0 seconds
   IP              : 10.226.236.26         MAC Address     : 28d244-7d16b6

Access Policy Details :
   COS Map         : Not Defined           In Limit Kbps   : Not Set
   Untagged VLAN   : 40                    Out Limit Kbps : Not Set
   Tagged VLANs    : No Tagged VLANs
   Port Mode       : 1000FDx
   RADIUS ACL List :
      deny in ip from any to 10.70.195.18
      permit in ip from any to any