Dynamic access control lists

Starting in FortiSwitchOS 7.0.2, you can use RADIUS attributes to configure dynamic access control lists (DACLs) on 802.1x ports. DACLs are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session, per port, or per MAC address for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1x authentication is successful.

You can use DACLs with 802.1x port-based authentication and 802.1x MAC-based authentication. IPv4 is supported, but IPv6 is not supported. You can use DACLs with monitor mode (open-auth) and with static ACLs.

DACLs are disabled by default.

Two RADIUS attributes are supported:

Filter-Id —The Filter-Id attribute defines the name of a access control list (ACL) predefined in FortiSwitchOS. With 802.1x port-based authentication, the DACL applies to the physical interface. With 802.1x MAC-based authentication, the DACL applies to the source MAC address of the authenticated client. If the Filter-Id cannot be found, the entire DACL fails.
NAS-Filter-Rule—The NAS-Filter-Rule attribute defines the filter rules at the RADIUS server. After authentication, the DACL applies to the port. The NAS-Filter-Rule supports a maximum of 80 characters, and you can specify a maximum of 45 entries per authentication session or a maximum of 45 entries per port. A syntax error in one NAS-Filter-Rule causes the entire DACL to fail.

The following is the Filter-Id format:

Filter-Id += "<filter-name>"

For example:

Filter-Id += "filter-id-service1"

Changing the name of Filter-Id after authentication causes errors in the output of the diagnose switch 802-1x status-dacl command when the session is using Filter-Id.

The following is the NAS-Filter-Rule format:

The following table explains the syntax of the NAS-Filter-Rule:

Option	Description
<deny\|permit>	Select one of the following: `permit`—Allow packets that match the rule. `deny`—Drop packets that match the rule.
in	The `in` keyword specifies that the ACL applies only to the inbound traffic from the authenticated client.
<ip\|ip-protocol-value>	Specify one of the following for the type of traffic to filter: `ip`—Any protocol will match. `ip-protocol-value`—IP traffic specified by either a protocol number or by `tcp`, `udp`, `icmp`, or (for IPv4 only) `igmp`. The range of protocol numbers is 0-255.
from any to	Required. The `from any to` keywords specify the authenticated client source.
any\|host	Specify one of the following: `any`—Specifies any IPv4 destination address `host <ipv4-addr>`—Specifies a single destination IPv4 address.
<ip-addr>\|ipv4-addr/mask>	Enter a series of contiguous destination addresses or all destination addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs destination IPv4 address that must match the corresponding bits in the destination IPv4 address. For example, `10.100.24.1/24` will match an inbound traffic from the authenticated client that has a destination IPv4 address where the first three octets are 10.100.24.
[<tcp/udp-port\|tcp/udp-port range>]	Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers. Individual port numbers or ranges can be configured. For example, to deny any UDP traffic from an authenticated client that has a destination address of any address and a UDP destination port of 357-457, 545: `deny in udp from any to any 357-457, 545`
[cnt]	Specify the counter for a RADIUS-assigned access control entry.

For example:

NAS-Filter-Rule += "permit in 20 from any to any cnt"
NAS-Filter-Rule += "deny in tcp from any to 10.10.10.1 23"
NAS-Filter-Rule += "permit in tcp from any to any 23"

To enable DACL on an interface:

config switch interface

edit <interface_name>

config port-security

set port-security-mode {802.1X | 802.1X-mac-based}

set dacl enable

end

For example:

config switch interface

edit port11

config port-security

set port-security-mode 802.1X

set dacl enable

end

To configure a value for NAS-Filter-Rule or Filter-Id:

config switch acl service custom

edit <ACL_service>

set comment <string>

set color <0-32>

set protocol {ICMP | IP | TCP/UDP/SCTP}

set protocol-number <IP protocol number>

set tcp-portrange <port_number>-<port_number>

set udp-portrange <port_number>-<port_number>

end

For example:

config switch acl service custom

edit filter-id-service1

set comment "filter ID for service 1"

set udp-portrange 10000-20000

end

To create a template for the Filter-Id RADIUS attribute:

config switch acl 802-1X

edit <policy_ID>

set description <string>

set filter-id <string>

config access-list-entry

edit <ingress_policy_ID>

set description <string>

set group <integer>

config action

set count {enable | disable}

set drop {enable | disable}

end

config classifier

set dst-ip-prefix <IP_address_and_netmask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_name>

set src-ip-prefix <IP_address_and netmask>

set src-mac <MAC_address>

end

For example:

config switch acl 802-1X

edit 1

set description "Test Filter-Id"

set filter-id “Testing”

config access-list-entry

edit 1

set description "Test ACL entry”

config action

set count enable

set drop enable

end

config classifier

set dst-ip-prefix 192.168.0.0 255.255.255.0

set ether-type 0x0800

set service "filter-id-service1"

set src-ip-prefix 192.168.0.0 255.255.255.0

set src-mac 00:00:00:00:00:00

end

To display the status of DACLs on a specified 802.1x port or on all ports:

diagnose switch 802-1x status-dacl [<port_name>]

To clear the DACLs from a specified interface or from all interfaces:

execute 802-1x dacl-clr-stat [<interface_name>]

To reinstall the DACLs on a specified interface or on all interfaces:

execute 802-1x dacl-reinstall [<interface_name>]

Dynamic access control lists

DACLs are disabled by default.

Two RADIUS attributes are supported:

Filter-Id —The Filter-Id attribute defines the name of a access control list (ACL) predefined in FortiSwitchOS. With 802.1x port-based authentication, the DACL applies to the physical interface. With 802.1x MAC-based authentication, the DACL applies to the source MAC address of the authenticated client. If the Filter-Id cannot be found, the entire DACL fails.
NAS-Filter-Rule—The NAS-Filter-Rule attribute defines the filter rules at the RADIUS server. After authentication, the DACL applies to the port. The NAS-Filter-Rule supports a maximum of 80 characters, and you can specify a maximum of 45 entries per authentication session or a maximum of 45 entries per port. A syntax error in one NAS-Filter-Rule causes the entire DACL to fail.

The following is the Filter-Id format:

Filter-Id += "<filter-name>"

For example:

Filter-Id += "filter-id-service1"

Changing the name of Filter-Id after authentication causes errors in the output of the diagnose switch 802-1x status-dacl command when the session is using Filter-Id.

The following is the NAS-Filter-Rule format:

The following table explains the syntax of the NAS-Filter-Rule:

Option	Description
<deny\|permit>	Select one of the following: `permit`—Allow packets that match the rule. `deny`—Drop packets that match the rule.
in	The `in` keyword specifies that the ACL applies only to the inbound traffic from the authenticated client.
<ip\|ip-protocol-value>	Specify one of the following for the type of traffic to filter: `ip`—Any protocol will match. `ip-protocol-value`—IP traffic specified by either a protocol number or by `tcp`, `udp`, `icmp`, or (for IPv4 only) `igmp`. The range of protocol numbers is 0-255.
from any to	Required. The `from any to` keywords specify the authenticated client source.
any\|host	Specify one of the following: `any`—Specifies any IPv4 destination address `host <ipv4-addr>`—Specifies a single destination IPv4 address.
<ip-addr>\|ipv4-addr/mask>	Enter a series of contiguous destination addresses or all destination addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs destination IPv4 address that must match the corresponding bits in the destination IPv4 address. For example, `10.100.24.1/24` will match an inbound traffic from the authenticated client that has a destination IPv4 address where the first three octets are 10.100.24.
[<tcp/udp-port\|tcp/udp-port range>]	Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers. Individual port numbers or ranges can be configured. For example, to deny any UDP traffic from an authenticated client that has a destination address of any address and a UDP destination port of 357-457, 545: `deny in udp from any to any 357-457, 545`
[cnt]	Specify the counter for a RADIUS-assigned access control entry.

For example:

NAS-Filter-Rule += "permit in 20 from any to any cnt"
NAS-Filter-Rule += "deny in tcp from any to 10.10.10.1 23"
NAS-Filter-Rule += "permit in tcp from any to any 23"

To enable DACL on an interface:

config switch interface

edit <interface_name>

config port-security

set port-security-mode {802.1X | 802.1X-mac-based}

set dacl enable

end

For example:

config switch interface

edit port11

config port-security

set port-security-mode 802.1X

set dacl enable

end

To configure a value for NAS-Filter-Rule or Filter-Id:

config switch acl service custom

edit <ACL_service>

set comment <string>

set color <0-32>

set protocol {ICMP | IP | TCP/UDP/SCTP}

set protocol-number <IP protocol number>

set tcp-portrange <port_number>-<port_number>

set udp-portrange <port_number>-<port_number>

end

For example:

config switch acl service custom

edit filter-id-service1

set comment "filter ID for service 1"

set udp-portrange 10000-20000

end

To create a template for the Filter-Id RADIUS attribute:

config switch acl 802-1X

edit <policy_ID>

set description <string>

set filter-id <string>

config access-list-entry

edit <ingress_policy_ID>

set description <string>

set group <integer>

config action

set count {enable | disable}

set drop {enable | disable}

end

config classifier

set dst-ip-prefix <IP_address_and_netmask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_name>

set src-ip-prefix <IP_address_and netmask>

set src-mac <MAC_address>

end

For example:

config switch acl 802-1X

edit 1

set description "Test Filter-Id"

set filter-id “Testing”

config access-list-entry

edit 1

set description "Test ACL entry”

config action

set count enable

set drop enable

end

config classifier

set dst-ip-prefix 192.168.0.0 255.255.255.0

set ether-type 0x0800

set service "filter-id-service1"

set src-ip-prefix 192.168.0.0 255.255.255.0

set src-mac 00:00:00:00:00:00

end

To display the status of DACLs on a specified 802.1x port or on all ports:

diagnose switch 802-1x status-dacl [<port_name>]

To clear the DACLs from a specified interface or from all interfaces:

execute 802-1x dacl-clr-stat [<interface_name>]

To reinstall the DACLs on a specified interface or on all interfaces:

execute 802-1x dacl-reinstall [<interface_name>]

Administration Guide

Dynamic access control lists

Dynamic access control lists

To enable DACL on an interface:

To configure a value for NAS-Filter-Rule or Filter-Id:

To create a template for the Filter-Id RADIUS attribute:

To display the status of DACLs on a specified 802.1x port or on all ports:

To clear the DACLs from a specified interface or from all interfaces:

To reinstall the DACLs on a specified interface or on all interfaces:

Dynamic access control lists

To enable DACL on an interface:

To configure a value for NAS-Filter-Rule or Filter-Id:

To create a template for the Filter-Id RADIUS attribute:

To display the status of DACLs on a specified 802.1x port or on all ports:

To clear the DACLs from a specified interface or from all interfaces:

To reinstall the DACLs on a specified interface or on all interfaces: