The dynamic IPv4 ACL delivered from Radius does not take effect for a MAC authenticated terminal that has IPv6 enabled along with IPv4 even though the authentication is successful . The ACL status is “Ineffective “
When IPv6 is enabled on the terminal, the MAC authentication process can be triggered by a DHCPv6 request packet in which case the switch will flag the user as an ipv6 client when creating the access table, hence the IPv4 ACL will not be effectively applied. This can happen because the switch triggers the MAC authentication when receives a DHCP/ARP/DHCPv6/ND packet by default.
To solve the problem we can use the “authentication trigger-condition dhcp arp “ command in the system view to only allow arp and dhcp packets to trigger MAC authentication .
# Configure the device to trigger MAC address authentication only through DHCP and ARP packets.
[HUAWEI] authentication trigger-condition dhcp arp