Dynamic IP ACLs in Web Authentication
After successful authentication, different network policies can be applied to restrict the way the network resources are accessed by the client. Web Authentication implementation (internal and external) support dynamically applying an IP ACL to a port, based on information received from the authentication server.
When a client/supplicant is authenticated, the authentication server (the RADIUS server) sends the authenticator (the Ruckus device) a RADIUS Access-Accept message that grants the client access to the network. The RADIUS Access-Accept message contains attributes set for the user in the user profile on the RADIUS server.
The Ruckus device uses information in the Filter Id attributes as follows:
- The Filter-Id attribute can specify the number of an existing IP ACL filter configured on the Ruckus device. In this case, the IP ACL filter with the specified number is applied to the port.
- Dynamic ACLs are not supported in Layer 2 code when ACL per-port-per-VLAN is enabled.
After successful authentication, the RADIUS server may return an ACL that should be applied to the client on the port.