HPE Community
Web and Unmanaged
1753620 Members
5950 Online
108797 Solutions
New Discussion

Re: 802.1X Filter-Id does not work with IPv6 ACL

 
skrude
Occasional Visitor

‎02-10-2015 06:23 AM - last edited on ‎02-10-2015 05:09 PM by

‎02-10-2015 06:23 AM - last edited on ‎02-10-2015 05:09 PM by

802.1X Filter-Id does not work with IPv6 ACL

We have a couple of HP V1910-48G switches here and are using Microsoft Network Policy Server (NPS) / Network Access protection (NAP). While 802.1X access control is working, the only way we are seeing to quarantine NAP noncomplient clients is using ACLs on the switch and sending the 802.1X option Filter-Id.

 

So we configured on the switches

  • one ACL IPv4 number 3000 with rules permitting access to the remediation servers and a last rule "deny ip"
  • one ACL IPv6 number 3000 with rules permitting access to the remediation servers and a last rule "deny ip"

and configured the NPS Network Policy to send Filter-Id 3000.

 

While the IPv4 ACL is working, the IPv6 ACL does not have any effect, any IPv6 packets are permitted. Is this a known problem?

 

 

P.S. This thread has been moved from Comware-Based to Web and Unmanaged. - Hp Forum Moderator

 

 

0 Kudos
1 REPLY 1
skrude
Occasional Visitor

‎08-11-2015 02:10 AM

‎08-11-2015 02:10 AM

Re: 802.1X Filter-Id does not work with IPv6 ACL

It's me again. Maybe my config would help to solve the problem. This is an example where all traffic should be blocked. Of course in a real setup there would be more rules to allow traffic to the remediation servers.

 

acl number 3000
 rule 100 deny ip

acl ipv6 number 3000
 rule 100 deny ipv6

 

Now if the switch gets the radius attribute "filter-id 3000" after authentification of a port, all IPv4 traffic on this port is blocked but IPv6 traffic is still possible.

 

With "display connection ucibindex" one can verify that the filter-id was accepted:

  ACL Group=3000

 

I then tried another approach, this time using a QoS policy:

 

traffic classifier test operator or
 if-match acl 3000

 if-match acl ipv6 3000
#
traffic behavior test
 filter deny
#
qos policy test
 classifier test behavior test
#

 

This time radius sends "filter-id test".

With "display connection ucibindex" one can verify that the filter-id was accepted:

  User Profile=test

 

Unfortunately this does not block any traffic of the authenticated port. The QoS policy however is working:

"qos apply policy test inbound" is blocking IPv4 and IPv6 traffic.

 

Any idea?

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.