Dynamic ACLs and MAC address filters in authentication

After successful authentication, different network policies can be applied to restrict the way the network resources are accessed by the client. The 802.1X authentication implementation supports dynamically applying an IP ACL to a port, based on information received from the authentication server. The 802.1X authentication also supports dynamic assignment of MAC ACLs to a port.

Note

Note

ACL must not be manually applied to an 802.1X authentication-enabled port.

When a client or supplicant is authenticated, the authentication server (the RADIUS server) sends the authenticator (the device) a RADIUS Access-Accept message containing the Filter-Id (type 11) attribute, the device can use information in the attribute to apply an IP ACL or MAC ACL to the authenticated port. This IP ACL or MAC ACL applies to the port for as long as the client is connected to the network. The IP ACL or MAC ACL is removed from the corresponding port when the client logs out, or the port goes down.

The ACL IDs received in the Radius Access-Accept message for the first authenticated client is applied to the port. The subsequent authenticated clients that receive the same ACL IDs will be authorized. If the subsequent clients receive different ACL IDs, they will be considered unauthorized. If all the clients are logged out due to a log-off message from the clients, the assigned ACL ID set is removed from the port when the last client logs out.

The device uses information in the Filter-Id attributes that can specify existing IP ACL or MAC ACL configured on the device. IP ACL or MAC ACL with the specified ACL name is applied to the port.

Note

Note

Only IPv4 ACL is supported and IPv6 ACL binding is not supported.
ACL bind fails in the following scenarios:
Note

Note

Dynamically assigned ACLs are not displayed in the running-config.