Hi Ed,

I may be missing your point but I see nothing ACS related in that link just general descriptive guff about dot1x technology.  But thanks anyway for posting...

Paul,

I agree, nothing ACS related, but I don't think you need anything on the ACS for this.

Which mode are you using?

• supplicant single; #will authenticate the first device seen on the switch port, and open the port globally
• supplicant single-secure; #will authenticate only  the first device on the switch port and open the port for it, but will  drop traffic for others @mac (to avoid an authenticated client behind a  hub device, opening the port for many unauthicated clients, which is  possible in “single” mode)
• supplicant multiple; #will authenticate each client  (on a @mac basis) separately. Each one can belon to a different vlan or  have its specific options. Max limit is 8 devices per port actually on  EX series.
• mac-radius: Activate mac-radius authentication. If a  device can’t answer EAPol “request identity” frames, the EX will forge a  Radius access-request using @mac as username to authenticates the  client (if the authentication is configured to accept this case). It is  very usefull to authenticates IP Phones for example, or other devices  like printers, IP cameras, who doesn’t have 802.1x functionnalities.  Note that this mode is way more unsecure than a real 802.1X  authentication.
• The number of EAPol retries from EX before passing to mac-radius mode can be configured in “Protocols > Dot1x”
• mac-radius restrict; #The mac-radius described will  be used only, no EAPol frames will be send from EX to client, EX will  takes client @mac an send a Radius access request with it as soon as he  see the device.

I will see if I can help.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed