From: 平嘉伟 <jia...@le...> - 2024-08-28 07:11:27
|
Hi folks! I have a pf 13.2 installation for wired 802.1x authentication with Huawei 57xx switches. Test-pc: win10 Test-switch-model: Huawei S5720 Test-switch-vrp-verion: V200R011C10SPC600 802.1x authentication and role based vlan assignment working perfectly. Now here is the thing: I define an acl in [switch-group]-[roles]-[OA-MACHINE]-[access-list] for testing. The acl is pretty simple and has been tested with Huawei switch: acl 10001 deny dst-port 3389 meaning: deny if tcp destination port is 3389 after test-machine passed authentication , got correct role[OA-MACHINE] , the radius reply is: [cid:image001.jpg@01DAF95A.B2251B00] BUT, there is no ACL info in reply! After digging, I found radius-filter which is capable to send acl by using radius attribute 26-82 [Huawei data-filter], but it is hard to use. On the other hand, [access-list] of [switch-group]-[roles] is much more user-friendly. So, my question is: how to make pf send acl which is predefined in [switch-group]-[roles]-[SOME ROLE]-[access-list] to Huawei switch using radius attribute 26-82[Huawei data-filter]? Any advice is appreciated. Joel. |