Downloadable ACL with AS5350

Unanswered Question
Feb 6th, 2007


Anybody knows if Downloadable ACL's with the AS5350 and ACS work? I tried it with ACS 3.3 and IOS 12.3(11)T11, because i red that this feature should be supportet on IOS from 12.3(8)T on. But it doesn't work. When I debug the radius authorization, i get the following error:

Feb 5 12:23:39.994: RADIUS: Cisco AVpair [1] 62 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-RAS_default-45c7006e"

Feb 5 12:23:39.994: AAA/ATTR: unrecognized attribute prefix: "ACS" (WARNING)

Looks like the AS5350 doesn't understand this attribute. Anybody knows anything helpfull?

Best regards


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
swharvey Tue, 02/06/2007 - 16:07

Hi Simon,

I cannot speak to Downloadable ACL's with the AS5300 product, as I have never done it, however, I have successfully implemented Dynamic inbound acl's on a per user and per group based for dial access with TACACS+ on ACS 3.1 with an AS5300. With this option, you enable "PPP IP" and "Custom attributes" within the TACACS+ Settings section of the group or user, then define the access list you wish to implement. Syntax is important, and below is an example of the format allowing a source subnet to a host for port ssh (Note: this is dynamic acl syntax, not downloadable acl syntax):

inacl#1=permit ip x.x.x.x host y.y.y.y eq 22

In addition, one other pre-requisite with this option is that the ACS local database must be used (you cannot use LDAP or integrate with AD).

Now, if this does not help and you must use Downloadable ACL's, please see the following URLs/PDFs that may be helpful:

Warning on Vulnerability with ACS 3.0-3.3.3:

Hope this helps, if so please rate.




This Discussion