Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

802.1X Filter-Id does not work with IPv6 ACL

skrude
Occasional Visitor

802.1X Filter-Id does not work with IPv6 ACL

We have a couple of HP V1910-48G switches here and are using Microsoft Network Policy Server (NPS) / Network Access protection (NAP). While 802.1X access control is working, the only way we are seeing to quarantine NAP noncomplient clients is using ACLs on the switch and sending the 802.1X option Filter-Id.

 

So we configured on the switches

  • one ACL IPv4 number 3000 with rules permitting access to the remediation servers and a last rule "deny ip"
  • one ACL IPv6 number 3000 with rules permitting access to the remediation servers and a last rule "deny ip"

and configured the NPS Network Policy to send Filter-Id 3000.

 

While the IPv4 ACL is working, the IPv6 ACL does not have any effect, any IPv6 packets are permitted. Is this a known problem?

 

 

P.S. This thread has been moved from Comware-Based to Web and Unmanaged. - Hp Forum Moderator

 

 

1 REPLY
skrude
Occasional Visitor

Re: 802.1X Filter-Id does not work with IPv6 ACL

It's me again. Maybe my config would help to solve the problem. This is an example where all traffic should be blocked. Of course in a real setup there would be more rules to allow traffic to the remediation servers.

 

acl number 3000
 rule 100 deny ip

acl ipv6 number 3000
 rule 100 deny ipv6

 

Now if the switch gets the radius attribute "filter-id 3000" after authentification of a port, all IPv4 traffic on this port is blocked but IPv6 traffic is still possible.

 

With "display connection ucibindex" one can verify that the filter-id was accepted:

  ACL Group=3000

 

I then tried another approach, this time using a QoS policy:

 

traffic classifier test operator or
 if-match acl 3000

 if-match acl ipv6 3000
#
traffic behavior test
 filter deny
#
qos policy test
 classifier test behavior test
#

 

This time radius sends "filter-id test".

With "display connection ucibindex" one can verify that the filter-id was accepted:

  User Profile=test

 

Unfortunately this does not block any traffic of the authenticated port. The QoS policy however is working:

"qos apply policy test inbound" is blocking IPv4 and IPv6 traffic.

 

Any idea?