Dynamic Access Control Lists (ACL)

The dynamic policy access control lists (ACL) feature uses the existing RADIUS Access-Accept and change of authorization (CoA) mechanism to override existing policy rules associated with a user by including a new vendor specific attribute (VSA) in the CoA and Access-Accept. When a CoA request or Access-Accept response to apply a particular set of match conditions and actions (or an action-set) is received, a look-up is performed to determine which policy profile the specified user was authenticated in, and the action-set ID specified in the CoA/Access-Accept is applied in that user‘s profile.

Note

You must configure VCAP partitioning to use dynamic ACL (see VCAP Partitioning).

If ACL style policy is not selected, or if the specified action-set does not exist, or if insufficient resources are available, the dynamic ACL rules are not applied and a NAK response to the RADIUS CoA request are returned. The maximum number of Dynamic ACL rules per user is 16. Access-Accept can include multiple adds using the += operation (this operation is not supported as part of RADIUS CoA request). Access-Accept usage does not support delete operation is ignored. Dynamic ACL rules can be deleted usin an explicit CoA delete or are deleted when the dynamic session associated with the user is deleted.

Dynamic ACLs and Layer 7 policy share the slices not used by TCI overwrite-enabled as one shared resource pool (see VCAP Partitioning). Dynamic ACLs have a higher priority to override Layer 7 policy (DNS) entry matches.

To see an example of dynamic ACL VSA string, see Example Dynamic ACL VSA String.