ACL assignment
You can specify an ACL for an 802.1X user to control the user's access to network resources. After the user passes 802.1X authentication, the authentication server assigns the ACL to the access port to filter traffic for this user. The authentication server can be the local access device or a RADIUS server. In either case, you must configure the ACL on the access device.
To change the access control criteria for the user, you can use one of the following methods:
Modify ACL rules on the access device.
Specify another authorization ACL on the authentication server.
The supported authorization ACLs include the following types:
Basic ACLs numbered in the range of 2000 to 2999.
Advanced ACLs numbered in the range of 3000 to 3999.
Layer 2 ACLs numbered in the range of 4000 to 4999.
For an authorization ACL to take effect, make sure the following requirements are met:
The ACL exists and has ACL rules.
Basic ACLs do not have rules configured with the fragment or vpn-instance keyword.
Layer 2 ACLs do not have rules configured with the cos, dest-mac, lsap, or source-mac keyword.
For more information about ACL configuration, see ACL and QoS Configuration Guide.