Operating notes for IPv6 applications

  • For RADIUS ACL applications the switch operates in a dual-stack mode, and a RADIUS-assigned ACL filters both IPv4 and IPv6 traffic. At a minimum, a RADIUS-assigned ACL automatically includes the implicit deny for both IPv4 and IPv6 traffic. Thus, an ACL configured on a RADIUS server to filter IPv4 traffic also denies inbound IPv6 traffic from an authenticated client unless the ACL includes ACEs that permit the desired IPv6 traffic. The reverse is true for a dynamic ACL configured on RADIUS server to filter IPv6 traffic. (ACLs are based on the MAC address of the authenticating client.) For more information, see the latest ArubaOS-Switch Access Security Guide for your switch.

  • To support authentication of IPv6 clients:
    • The VLAN to which the port belongs must be configured with an IPv6 address.

    • Connection to an IPv6-capable RADIUS server must be supported.

  • For 802.1X or MAC authentication methods, clients can authenticate regardless of their IP version (IPv4 or IPv6).

  • For the web authentication method, clients must authenticate using IPv4. However, this does not prevent the client from using a dual stack, or the port receiving a RADIUS-assigned ACL configured with ACEs to filter IPv6 traffic.

  • The RADIUS server must support IPv4 and have an IPv4 address. RADIUS clients can be dual stack, IPv6-only, or IPv4-only.

  • 802.1X rules for client access apply to both IPv6 and IPv4 clients for RADIUS-assigned ACLs. See 802.1X user-based and port-based applications.