I presume you added this into the Network Access Restrictions (NAR) section of ACS. Did you add it into the IP-Based Access Restriction section, or the CLI/DNIS-based section below it?
Which section ACS uses here depends on whether or not the NAS (LMS in this case) sends the "caller-id" or "calling-station-id" attribute in the request with an IP address. I have no idea if LMS does this, but if it's not working in the IP-based section, try adding it into the CLI/DNIS section and see how that goes.
Switches, and most other devices, DO send an IP address in the calling-station-id attribute so that's why that is working in the IP-based section. A good example of this is the VPN3000 which does NOT send an IP address, so it has to be added into the CLI/DNIS section for restrictions to work.