ACL assignment
You can specify an authorization ACL in the user account for a MAC authentication user to control the user's access to network resources. After the user passes MAC authentication, the authentication server (local or remote) assigns the authorization ACL to the access port of the user. The ACL will filter traffic for this user. Only the traffic that matches the deny rules in the ACL are rejected. You must configure ACL rules for the authorization ACL on the access device for the ACL assignment feature.
To change the access control criteria for the user, you can use one of the following methods:
Modify ACL rules on the access device.
Specify another authorization ACL on the authentication server.
The supported authorization ACLs include the following types:
Basic ACLs numbered in the range of 2000 to 2999.
Advanced ACLs numbered in the range of 3000 to 3999.
Layer 2 ACLs numbered in the range of 4000 to 4999 and matching specific destination MAC addresses.
For an authorization ACL to take effect, make sure the following requirements are met:
The ACL exists and has ACL rules.
Basic ACLs do not have rules configured with the fragment or vpn-instance keyword.
Layer 2 ACLs do not have rules configured with the cos, dest-mac, lsap, or source-mac keyword.
For more information about ACLs, see ACL and QoS Configuration Guide.