I have sucessfully implemented per user IPv4 ACLs with 802.1x authentication using MS NPS using the Cisco Vendor Specific attributes 'ip:inacl#1=permit ip x x' and this works fine and this appears on the switch when a user/computer authenticates:

cat-3560g#sho authentication sessions interface gigabitEthernet 0/2
            Interface:  GigabitEthernet0/2
          MAC Address:  0021.9b23.9607
           IP Address:  192.168.80.3
            User-Name:  DOMAIN\user
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
         Per-User ACL:  permit ip any any
         Per-User ACL:  permit ipv6 any any
      Session timeout:  10800s (server), Remaining: 8323s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  0A3E01FE0000046A2B9AEAAF
      Acct Session ID:  0x0000054E
               Handle:  0x6E00046B

Runnable methods list:
       Method   State
       dot1x    Authc Success

As you can see I am also pushing down an IPv6 ACL (ipv6:inacl#1=permit ipv6 any any) from the NPS server as well however this doesn't appear to do anything.  There are no dynamic per-user IPv6 ACLs created like there are with IPv4:

Extended IP access list GigabitEthernet0/2#IP#6369F7C (per-user)
    10 permit ip any any (110 matches)

The switch is obviously receiving it correctly from the NPS server but isn't acting on it.

Is this just a limitation of this platform?  I realise it is an EoL platform, however feature wise (i.e. 1Gbps PoE switch) I still see lots of these in the field.

Andy