I have sucessfully implemented per user IPv4 ACLs with 802.1x authentication using MS NPS using the Cisco Vendor Specific attributes 'ip:inacl#1=permit ip x x' and this works fine and this appears on the switch when a user/computer authenticates:
cat-3560g#sho authentication sessions interface gigabitEthernet 0/2
Interface: GigabitEthernet0/2
MAC Address: 0021.9b23.9607
IP Address: 192.168.80.3
User-Name: DOMAIN\user
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Per-User ACL: permit ip any any
Per-User ACL: permit ipv6 any any
Session timeout: 10800s (server), Remaining: 8323s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0A3E01FE0000046A2B9AEAAF
Acct Session ID: 0x0000054E
Handle: 0x6E00046B
Runnable methods list:
Method State
dot1x Authc Success
As you can see I am also pushing down an IPv6 ACL (ipv6:inacl#1=permit ipv6 any any) from the NPS server as well however this doesn't appear to do anything. There are no dynamic per-user IPv6 ACLs created like there are with IPv4:
Extended IP access list GigabitEthernet0/2#IP#6369F7C (per-user)
10 permit ip any any (110 matches)
The switch is obviously receiving it correctly from the NPS server but isn't acting on it.
Is this just a limitation of this platform? I realise it is an EoL platform, however feature wise (i.e. 1Gbps PoE switch) I still see lots of these in the field.
Andy