Format for ACS 5 Downloadable ACL?

Robert.N.Barrett_2 · ‎08-03-2009

Our environment is the ACS 5 eval, patched, running under VMWare Server 2 (patched) on Windows Server 2008. Current policy/profile configurations allow PEAP and EAP-TLS authentication with VLAN assignment coming from ACS to a 3560G switch.

I am trying to test a simple downloadable ACL with ACS 5 and a 3560G switch, but am not sure what the format should look like.

What works:

If I go into Policy Elements -> Auth & Permissions -> Network Access -> Authorization Profile -> ApplydACL (my profile) -> Radius Attributes and create custom radius attributes like below, everything works great:

cisco-av-pair string ip:inacl#1=deny icmp any any echo

cisco-av-pair string ip:inacl#2=deny icmp any any echo-reply

cisco-av-pair string ip:inact#3=permit ip any any

What doesn't work:

If I go into Policy Elements -> Auth & Permissions -> Network Access -> Authorization Profile -> ApplydACL (my profile) -> Common Tasks and enable the static downloadble ACL (NoICMPdACL), it doesn't work. I have tried two different downloadable ACL (shown way down below). Neither ACL takes effect (client can ping others, others can ping client), and we see the following text on the switch console with RADIUS debugging enabled:

RADIUS: User-Name [1] 16 "8021X\rnbarret"

RADIUS: Class [25] 20

RADIUS: 63 72 72 61 63 73 2F 33 38 36 38 37 35 31 39 2F [crracs/38687519/]

RADIUS: 32 34 [ 24]

RADIUS: Tunnel-Type [64] 6 01:VLAN [13]

RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]

RADIUS: EAP-Message [79] 6

RADIUS: 03 6F 00 04 [ o]

RADIUS: Message-Authenticato[80] 18

RADIUS: 33 D3 AA 3F 7D 1D A2 C8 D9 08 10 0E 81 6E A8 C0 [ 3?}n]

RADIUS: Tunnel-Private-Group[81] 5 01:"13"

RADIUS: Vendor, Cisco [26] 67

RADIUS: Cisco AVpair [1] 61 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-NoICMPdACL-4a77275c"

RADIUS: Vendor, Microsoft [26] 58

RADIUS: MS-MPPE-Send-Key [16] 52 *

RADIUS: Vendor, Microsoft [26] 58

RADIUS: MS-MPPE-Recv-Key [17] 52 *

RADIUS(00000023): Received from id 1645/19

RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up

RADIUS: Received from id 1646/51 192.168.2.201:1646, Accounting-response, len 20

this ACL text does not work:

deny icmp any any echo

deny icmp any any echo-reply

permit ip any any

this ACL text also does not work:

ip:inacl#1=deny icmp any any echo

ip:inacl#2=deny icmp any any echo-reply

ip:inact#3=permit ip any any

Does anyone know what I'm doing wrong?

Robert.N.Barrett_2 · ‎08-03-2009

Here's what I think is the relevant detail from the ACS RADIUS auth report (for a successful authentication, but the downloadable ACL does not appear to be functioning):

User-Name=8021X\robertbarrett

Tunnel-Type=(tag=1) VLAN

Tunnel-Medium-Type=(tag=1) 802

Tunnel-Private-Group-ID=(tag=1) 13

cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-NoICMPdACL-4a77275c

Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated

Evaluating Identity Policy

Matched rule

Selected Identity Source

Authenticating user against Active Directory

ACS has not been able to confirm previous successful machine/host authentication for user in Active Directory

User's Groups retrieval from Active Directory succeeded

User authentication against Active Directory succeeded

Authentication Passed

Evaluating Group Mapping Policy

Group Mapping Policy not configured

EAP-MSCHAP authentication attempt passed

Prepared EAP-Request with another PEAP challenge

Returned RADIUS Access-Challenge

Received RADIUS Access-Request

RADIUS is re-using an existing session

Extracted EAP-Response containing PEAP challenge-response

Extracted EAP-Response for inner method containing MSCHAP challenge-response

Inner EAP-MSCHAP authentication succeeded

Prepared EAP-Success for inner EAP method

PEAP inner method finished successfully

Prepared EAP-Request with another PEAP challenge

Returned RADIUS Access-Challenge

Received RADIUS Access-Request

RADIUS is re-using an existing session

Extracted EAP-Response containing PEAP challenge-response

PEAP authentication succeeded

Prepared EAP-Success

External Policy Check Policy not configured

Evaluating Exception Authorization Policy

No rule was matched

Evaluating Authorization Policy

Matched rule

Selected Authorization Profile

Added the dACL specified in the Authorization Profile

Returned RADIUS Access-Accept

amarkhan_1 · ‎10-07-2013

Hi Rob,

I have the same problem and my DACL doesn't work. Were you able to fix the problem? Can you specify how the DACL would take effect? Much appreciated. Thanks.