We recently upgraded the code on our enterprise Cisco 4506 and are testing out the new hostmode multi-auth commands. however, using dot1x with this, I cannot quarantine with VLANs because they do not work when a port is in multi-auth. They do however, support downloadable ACLS.
In the past, I have tested using Cisco VSA for Cisco-av-pair on a 3560 and it worked, using the format: ip:inacl#1=permit ip any host 1.1.1.1 ip:inacl#2=permit ip any any ...
however, this does not appear to be working on the 4506
We have the following commands enabled per the Cisco documentation ip device tracking radius-server vsa send authentication
These are also set... aaa authentication dot1x default group radius aaa authorization network default group radius
Anyone know how to quarantine when a port is using hostmode multi-auth?
