Setup Guide

RADIUS-assigned DACLs control Layer 3 (L3) trac from a supplicant authenticated by the RADIUS server using 802.1x/MAC

Authentication Bypass (MAB). The RADIUS server pushes the DACLs to an OS9 switch that acts as network access server (NAS). Dell

EMC Networking OS applies the downloaded DACLs to an interface or a specic supplicant session(s)/ user(s) in the interface. OS9

switch uses RADIUS-assigned DACLs to lter L3 trac entering the switch from authenticated supplicant(s) which has RADIUS-assigned

DACL congured in the RADIUS server. This feature allows a centralized administration of security policies for access devices in enterprises

without the need of handling the access policies in the individual devices.

Dell EMC Networking OS complies to the following standards:

• RFC4849 for RADIUS NAS-Filter-Rule attribute

• RFC2865 For Filter-Id attribute

• IPv6 NAS-Filter-Rule attributes are not supported as part of Radius-assigned DACLs.

• Change of Authorization (CoA) Action requests on the RADIUS NAS-Filter-Rule Attributes are not supported.

• The attributes in RADIUS NAS-Filter-Rule supports only the L3 options.

• The RADIUS-assigned DACLs are implicit permit. You can congure an implicit deny rule deny ip any any explicitly to block all

other trac.

• The maximum size of the RADIUS-assigned DACLs through NAS-Filter-Rule attribute is 4000 characters. It can be a single rule or

multiple rules.

• The names of ACLs congured using the OS9 CLI must be dierent from the name of the RADIUS-assigned DACLs downloaded from

the RADIUS server.

• After switch failover, you must do the following on the interface before changing any dot1x related congurations: