Dynamic ACLs in authentication

After successful authentication, different network policies can be applied to restrict the way the client accesses network resources. The 802.1X authentication and MAC authentication implementations support dynamically applying IPv4 ACLs and IPv6 ACLs to a port, based on information received from an authentication server.

When a client or supplicant is authenticated, the authentication server (the RADIUS server) sends the authenticator (the RUCKUS ICX device) a RADIUS Access-Accept message that grants the client access to the network. The RADIUS Access-Accept message contains attributes set for the user in the user profile for 802.1X authentication or the device profile for MAC authentication on the RADIUS server.

If the Access-Accept message contains the Filter-Id (type 11), the RUCKUS ICX device can use information in the attribute to apply an IP ACL to the authenticated port. This IP ACL filter applies to the port for as long as the client is connected to the network. The IP ACL is removed from the corresponding port when the client logs out, the port goes down, or the MAC session ages out.

The RUCKUS ICX device uses information in the Filter-Id as follows:

  • The Filter-Id attribute can specify the number of an existing IPv4 ACL or IPv6 ACL configured on the RUCKUS ICX device.
  • The attribute can specify the name of an existing IPv4 ACL or IPv6 ACL configured on the ICX device.