Per-user access control lists (ACLs) can be configured to provide different levels of network access and service to an 802.1X-authenticated
user. When the RADIUS server authenticates a user that is connected to an 802.1X port, it retrieves the ACL attributes based
on the user identity and sends them to the switch. The switch applies the attributes to the 802.1X port for the duration of
the user session. The switch removes the per-user ACL configuration when the session is over, if authentication fails, or
if a link-down condition occurs. The switch does not save RADIUS-specified ACLs in the running configuration. When the port
is unauthorized, the switch removes the ACL from the port.
RADIUS supports per-user attributes, including vendor-specific attributes. These vendor-specific attributes (VSAs) are in
octet-string format and are passed to the switch during the authentication process. The VSAs used for per-user ACLs are inacl#<n
> for the ingress direction and outacl#<n > for the egress direction. MAB ACLs are supported only in the ingress direction.
The switch supports VSAs only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports.
For more information, see the “Configuring Network Security with ACLs|” module.
The extended ACL syntax style should be used to define the per-user configuration that is stored on the RADIUS server. When
the definitions are passed from the RADIUS server, they are created by using the extended naming convention. However, if the
Filter-Id attribute is used, it can point to a standard ACL.
The Filter-Id attribute can be used to specify an inbound or outbound ACL that is already configured on the switch. The attribute
contains the ACL number followed by
.in for ingress filtering or
.out for egress filtering. If the RADIUS server does not allow the
.in or
.out
syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on
the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended
ACLs).
Only one 802.1X-authenticated user is supported on a port. If the multiple-hosts mode is enabled on the port, the per-user
ACL attribute is disabled for the associated port.
The maximum size of the per-user ACL is 4000 ASCII characters but is limited by the maximum size of RADIUS-server per-user
ACLs.