@Chris S Take a look at Understand 802.1x DACL, Per-User ACL, Filter-ID, and Device Tracking Behavior .

DACLs are usually for the access clients only. The network access device will replace the source portion of each ACE with the access client's IP address. For another device to access this client, we would likely need to allow any ports higher than 1024 from the access client's IP.

As I know the Per-User ACL use "IN" direction not "OUT"
and ip tracking resolve the IP of host and add it to dACL, i.e. permit ip any any will resolve by ip tracking to permit ip host x.x.x.x any 

now you can change the dacl 
instead of permit ip any any 
use
deny ip any any eq 455
permit ip any any 

try this way

MHM

I have always found this topic confusing, especially because we use the terms "source" and "destination" as if it's meant to be obvious. But it's only obvious if you mention in the same sentence, from whose perspective you're saying source/destination.

My assumption was always this: an ACL exists on an interface to check/control/protect data from attached endpoints entering the network. In other words, we don't naturally consider what to check/control from the network towards the endpoint.

What @davidgfriedman quite correctly stated earlier, I realised my confusion about the simple word inbound - but, inbound from whose perspective?

permit tcp any eq 455 any <--- inbound to port tcp/455 on the endpoint device)

Ok - the ACL syntax is  "source destination" - if I had to translate this into layman's terms I would read it as "accept data from the endpoint from any src addr where the TCP source port is 455, towards any destination address" - but in reality it's the other way around. It means "allow data TO the device on a service that is running on TCP/455".   e.g. a Linux server in the data center wants to access an endpoint at TCP/455. Okaaaaaaay .but then why is the source port TCP/455? The TCP connection is established from the data center and the TCP destination port would be 455.  My brain starts to hurt and it shuts down.

With some of the previous explanations it got a bit clearer. I even started having doubts that these ACE entries were perhaps stateful - but now I know they are not. I decided to test things in the lab to sort out my doubts. 

I used a C9300 switch that has a raspberry pi as the endpoint attached to Gig 1/0/22 - this interface is enabled for MAB and ISE authorized the session with a dACL. I built up the dACL in various stages to see what worked, and what didn't - e.g.

• from switch: ping the raspi 
• from switch: ssh to the raspi 
• from raspi: ping default gw
• from raspi: ssh to an Ubuntu server

I put this into layman's terms to keep as a reference for myself

Maybe the better question would be to ask how everybody handles onboarding new computers to the network?  Our method was to have ISE push a default dACL policy to allow minimal access to systems (dns, active directory, cert enrollment, PDQ) .. then once the device would pass posture, ISE would change the dACL to allow for full access.

Default dACL:

remark PDQ
permit tcp any host 172.30.8.106 eq 445
permit tcp any eq 445 host 172.30.8.106

remark DHCP
permit udp any any eq 68
remark DNS
permit udp any any eq 53
permit tcp any any eq 53
remark RFC1918
deny ip any 172.16.0.0 0.0.240.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.0.0.255
remark Internet
permit tcp any any eq 80
permit tcp any any eq 443