Dynamic ACLs in authentication

After successful authentication, different network policies can be applied to restrict the way the network resources are accessed by the client. The 802.1X authentication and MAC authentication implementations support dynamically applying IPv4 ACLs and IPv6 ACLs to a port, based on information received from an authentication server.

When a client or supplicant is authenticated, the authentication server (the RADIUS server) sends the authenticator (the Ruckus device) a RADIUS Access-Accept message that grants the client access to the network. The RADIUS Access-Accept message contains attributes set for the user in the user profile for 802.1X authentication or the device profile for MAC authentication on the RADIUS server.

If the Access-Accept message contains the Filter-Id (type 11), the Ruckus device can use information in the attribute to apply an IP ACL to the authenticated port. This IP ACL filter applies to the port for as long as the client is connected to the network. The IP ACL is removed from the corresponding port when the client logs out, the port goes down, or the MAC address ages out.

The Ruckus device uses information in the Filter-Id as follows:

  • The Filter-Id attribute can specify the number of an existing IPv4 ACL or IPv6 ACL configured on the Ruckus device.
  • The attribute can specify the actual syntax for a Ruckus IPv4 ACL or IPv6 ACL, which is then applied to the authenticated port.