- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Web and Unmanaged
- >
- Re: 802.1X Filter-Id does not work with IPv6 ACL
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2015 06:23 AM - last edited on 02-10-2015 05:09 PM by Maiko-I
02-10-2015 06:23 AM - last edited on 02-10-2015 05:09 PM by Maiko-I
802.1X Filter-Id does not work with IPv6 ACL
We have a couple of HP V1910-48G switches here and are using Microsoft Network Policy Server (NPS) / Network Access protection (NAP). While 802.1X access control is working, the only way we are seeing to quarantine NAP noncomplient clients is using ACLs on the switch and sending the 802.1X option Filter-Id.
So we configured on the switches
- one ACL IPv4 number 3000 with rules permitting access to the remediation servers and a last rule "deny ip"
- one ACL IPv6 number 3000 with rules permitting access to the remediation servers and a last rule "deny ip"
and configured the NPS Network Policy to send Filter-Id 3000.
While the IPv4 ACL is working, the IPv6 ACL does not have any effect, any IPv6 packets are permitted. Is this a known problem?
P.S. This thread has been moved from Comware-Based to Web and Unmanaged. - Hp Forum Moderator
- Tags:
- IPv6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2015 02:10 AM
08-11-2015 02:10 AM
Re: 802.1X Filter-Id does not work with IPv6 ACL
It's me again. Maybe my config would help to solve the problem. This is an example where all traffic should be blocked. Of course in a real setup there would be more rules to allow traffic to the remediation servers.
acl number 3000
rule 100 deny ip
acl ipv6 number 3000
rule 100 deny ipv6
Now if the switch gets the radius attribute "filter-id 3000" after authentification of a port, all IPv4 traffic on this port is blocked but IPv6 traffic is still possible.
With "display connection ucibindex" one can verify that the filter-id was accepted:
ACL Group=3000
I then tried another approach, this time using a QoS policy:
traffic classifier test operator or
if-match acl 3000
if-match acl ipv6 3000
#
traffic behavior test
filter deny
#
qos policy test
classifier test behavior test
#
This time radius sends "filter-id test".
With "display connection ucibindex" one can verify that the filter-id was accepted:
User Profile=test
Unfortunately this does not block any traffic of the authenticated port. The QoS policy however is working:
"qos apply policy test inbound" is blocking IPv4 and IPv6 traffic.
Any idea?