Dynamically applying existing ACLs or MAC ACL

When a port is authenticated using 802.1X security, an IP ACL or MAC ACL that exists in the running configuration on the device can be dynamically applied to the port. To do this, you configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-Id attribute specifies the name of the IP ACL or MAC ACL.

The following table shows the syntax for configuring the Filter-Id attribute to refer to an IP ACL or MAC ACL.

Table 1. Syntax for Filter-Id attribute
Value	Description
ip.name.in	Applies the specified named ACL to the 802.1X authenticated port in the inbound direction.
ip.name.out	Applies the specified named ACL to the 802.1X authenticated port in the outbound direction.
mac.name.in	Applies the specified MAC ACL to the 802.1X authenticated port in the inbound direction.

Note

The name variable in the Filter-Id attribute is case-sensitive.
Dynamic IP ACL filters are supported for the inbound and outbound directions.
MAC ACLs are supported only for the inbound direction. Outbound MAC ACLs are not supported.
The RADIUS server sends the ACL name in the Filter-Id attribute in the following form: <ip/mac>.<acl_name>.<in/out>
Only one ACL ID per ACL type is allowed in each direction.