Administrator Guide
seq 32 permit tcp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.2 eq 65535 monitor no-drop
order 254
seq 37 permit ip host 1.1.1.1 host 2.2.2.2 dscp 63 ecn 3 fragments log monitor no-
drop order 254
seq 42 permit ip any host 150.0.0.100 dscp 63 ecn 3
seq 47 permit ip 100.0.0.0/28 200.0.0.0/23
seq 52 permit ip 100.0.0.0/16 any
seq 57 permit icmp host 1.1.1.1 200.0.0.0/23
seq 62 permit icmp any 200.0.0.0/27
seq 67 permit icmp host 1.1.1.1 any
seq 72 permit udp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.2 eq 65535
!
Extended Ingress IP access list test1 on GigabitEthernet 1/1(Radius-ACL)
Total cam count 3
seq 5 permit ip host 10.10.10.10 host 20.20.20.20 count (0 packets)
seq 10 permit ip host 100.0.0.1 host 200.0.0.100 count (0 packets)
seq 15 deny ip host 100.0.0.1 host 111.0.0.100 count (0 packets)
!
Optimized Extended Ingress IP access list test on stack-unit 2 port_pipe 0 applied on
GigabitEthernet 2/1
Total cam count 15
seq 5 permit ip host 1.1.1.1 host 2.2.2.2
seq 6 permit ip host 4.4.4.4 host 5.5.5.5
seq 12 deny ip host 1.1.1.1 host 2.2.2.2
seq 17 permit ip host 100.0.0.1 host 150.0.0.100 count (0 packets)
seq 22 deny ip host 100.0.0.1 host 200.0.0.100 count (0 packets)
seq 27 deny ip any any count (0 packets)
seq 32 permit tcp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.2 eq 65535 monitor no-drop
order 254
seq 37 permit ip host 1.1.1.1 host 2.2.2.2 dscp 63 ecn 3 fragments log monitor no-
drop order 254
seq 42 permit ip any host 150.0.0.100 dscp 63 ecn 3
seq 47 permit ip 100.0.0.0/28 200.0.0.0/23
seq 52 permit ip 100.0.0.0/16 any
seq 57 permit icmp host 1.1.1.1 200.0.0.0/23
seq 62 permit icmp any 200.0.0.0/27
seq 67 permit icmp host 1.1.1.1 any
seq 72 permit udp 1.1.1.1 1.1.1.1 eq 65535 2.2.2.2 2.2.2.2 eq 65535
!
Extended Ingress IP access list test1 on GigabitEthernet 2/1(Radius-ACL)Supplicant
MAC-38:8f:17:91:00:00
Total cam count 3
seq 5 permit ip host 10.10.10.10 host 20.20.20.20 count (0 packets)
seq 10 permit ip host 100.0.0.1 host 200.0.0.100 count (0 packets)
seq 15 deny ip host 100.0.0.1 host 111.0.0.100 count (0 packets)
Support for Change of Authorization and Disconnect Messages
packets
The Network Access Server (NAS) uses RADIUS to authenticate AAA or dot1x user-access to the switch. The RADIUS service
does not support unsolicited messages sent from the RADIUS server to the NAS.
However, there are many instances in which it is desirable for changes to be made to session characteristics, without requiring
the NAS to initiate the exchange. For example, it may be desirable for administrators to be able to terminate user sessions in
progress.
Alternatively, if the user changes authorization level, this change may require that authorization attributes be added or deleted
from the user sessions.
To overcome these limitations, Dell EMC Networking OS provides RADIUS extension commands in order to enable unsolicited
messages to be sent to the NAS. These extension commands provide support for Disconnect Messages (DMs) and Change-of-
Authorization (CoA) packets. DMs cause user sessions to be terminated immediately; whereas, CoA packets modify session
authorization attributes such as VLAN IDs, user privileges, and so on.
Security
731