08-03-2009 10:58 AM - edited 03-10-2019 04:37 PM
Our environment is the ACS 5 eval, patched, running under VMWare Server 2 (patched) on Windows Server 2008. Current policy/profile configurations allow PEAP and EAP-TLS authentication with VLAN assignment coming from ACS to a 3560G switch.
I am trying to test a simple downloadable ACL with ACS 5 and a 3560G switch, but am not sure what the format should look like.
What works:
If I go into Policy Elements -> Auth & Permissions -> Network Access -> Authorization Profile -> ApplydACL (my profile) -> Radius Attributes and create custom radius attributes like below, everything works great:
cisco-av-pair string ip:inacl#1=deny icmp any any echo
cisco-av-pair string ip:inacl#2=deny icmp any any echo-reply
cisco-av-pair string ip:inact#3=permit ip any any
What doesn't work:
If I go into Policy Elements -> Auth & Permissions -> Network Access -> Authorization Profile -> ApplydACL (my profile) -> Common Tasks and enable the static downloadble ACL (NoICMPdACL), it doesn't work. I have tried two different downloadable ACL (shown way down below). Neither ACL takes effect (client can ping others, others can ping client), and we see the following text on the switch console with RADIUS debugging enabled:
RADIUS: User-Name [1] 16 "8021X\rnbarret"
RADIUS: Class [25] 20
RADIUS: 63 72 72 61 63 73 2F 33 38 36 38 37 35 31 39 2F [crracs/38687519/]
RADIUS: 32 34 [ 24]
RADIUS: Tunnel-Type [64] 6 01:VLAN [13]
RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
RADIUS: EAP-Message [79] 6
RADIUS: 03 6F 00 04 [ o]
RADIUS: Message-Authenticato[80] 18
RADIUS: 33 D3 AA 3F 7D 1D A2 C8 D9 08 10 0E 81 6E A8 C0 [ 3?}n]
RADIUS: Tunnel-Private-Group[81] 5 01:"13"
RADIUS: Vendor, Cisco [26] 67
RADIUS: Cisco AVpair [1] 61 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-NoICMPdACL-4a77275c"
RADIUS: Vendor, Microsoft [26] 58
RADIUS: MS-MPPE-Send-Key [16] 52 *
RADIUS: Vendor, Microsoft [26] 58
RADIUS: MS-MPPE-Recv-Key [17] 52 *
RADIUS(00000023): Received from id 1645/19
RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
RADIUS: Received from id 1646/51 192.168.2.201:1646, Accounting-response, len 20
this ACL text does not work:
deny icmp any any echo
deny icmp any any echo-reply
permit ip any any
this ACL text also does not work:
ip:inacl#1=deny icmp any any echo
ip:inacl#2=deny icmp any any echo-reply
ip:inact#3=permit ip any any
Does anyone know what I'm doing wrong?
08-03-2009 11:13 AM
Here's what I think is the relevant detail from the ACS RADIUS auth report (for a successful authentication, but the downloadable ACL does not appear to be functioning):
User-Name=8021X\robertbarrett
Tunnel-Type=(tag=1) VLAN
Tunnel-Medium-Type=(tag=1) 802
Tunnel-Private-Group-ID=(tag=1) 13
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-NoICMPdACL-4a77275c
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
Matched rule
Selected Identity Source
Authenticating user against Active Directory
ACS has not been able to confirm previous successful machine/host authentication for user in Active Directory
User's Groups retrieval from Active Directory succeeded
User authentication against Active Directory succeeded
Authentication Passed
Evaluating Group Mapping Policy
Group Mapping Policy not configured
EAP-MSCHAP authentication attempt passed
Prepared EAP-Request with another PEAP challenge
Returned RADIUS Access-Challenge
Received RADIUS Access-Request
RADIUS is re-using an existing session
Extracted EAP-Response containing PEAP challenge-response
Extracted EAP-Response for inner method containing MSCHAP challenge-response
Inner EAP-MSCHAP authentication succeeded
Prepared EAP-Success for inner EAP method
PEAP inner method finished successfully
Prepared EAP-Request with another PEAP challenge
Returned RADIUS Access-Challenge
Received RADIUS Access-Request
RADIUS is re-using an existing session
Extracted EAP-Response containing PEAP challenge-response
PEAP authentication succeeded
Prepared EAP-Success
External Policy Check Policy not configured
Evaluating Exception Authorization Policy
No rule was matched
Evaluating Authorization Policy
Matched rule
Selected Authorization Profile
Added the dACL specified in the Authorization Profile
Returned RADIUS Access-Accept
10-07-2013 06:35 PM
Hi Rob,
I have the same problem and my DACL doesn't work. Were you able to fix the problem? Can you specify how the DACL would take effect? Much appreciated. Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: