I've been introducing Dot1x and dACL's into my environment previously I used to have ASA's and only a portion of the devices behind it. I feel like I missed a step or some grand understanding somewhere and that the standard acl is going backwards compared to having extended ACL's

I'm wondering at how  adaptive this can be. I have many different types of devices in the environment - so for example one department might have 10 instruments service different purposes with similar but different levels of access required.

Also I have some servers that are in  clusters and I don't get notified of IP changes or additions and this may create some intermittent issues. (Think a cluster of domain controllers across multiple sites)

On our ASA I would give access to AD such as any- mydomain.mycompany.com eq port group - this works great

on a DACL it seems like I would have to do "permit tcp any any eq 123" or "permit tcp any ip-or-subnet-1 eq 124" and "permit tcp any ip-or-subnet2 eq 125". I'm okay with this but is there a better way to do it - unfortunately "permit tcp any host mydomain.mycompany.com eq  123" fails the syntax check

I'm hoping to get to testing it later - but can I use the authorization profiles to apply more than one dACL to a wired/wireless device? In all the example and guides I've read it appears that I cannot do this.

For example, i would use dACL's to say "This device gets AD" "This device gets printer access" "This device gets shared drives access" etc.. then device 1A will get "AD" "Shared drive" dACLs and  device 2B will get "AD" "Printers" dACL's

This also makes no sense in my brain because I don't see ISE combining the lists and then sending it to the switch. But at this rate I might end up having 1000's of dACL's -