Solved: IOS Router + VPN + ACS + Downloadable IP Acls

martinwicher · ‎06-08-2010

I want to use the Feature "Downloadable IP Acls" on a 3825 VPN-router (IOS 12.4T) in combination with an ACS.

In many documents and discussions I read that it is possible to use dACLs on "Cisco devices running IOS version 12.3(8)T or greater".

The authentication and authorization by the ACS is working and the device gets some parameters by the av-pair-feature.

I tried several things to apply the dACLs like using av-pairs or the ACS-feature "Downloadable IP ACLs", but nothing works.

In the debug log I see that the av-pair is handed to the device, but it is not used.

--> Can you tell me, if it is possible to use dACLs on IOS routers?

--> How does it work? What can I change?

--> Is there a good manual to implement it?

Thanks for your help!

Martin

Marcin Latosiewicz · ‎06-20-2010

It would help if we know the GOAL of what you're trying to do ...

AFAIR in mode config client does not request ACLs for filtering short of split tunnel ACLs ... and I don't have means to test right now.

If you wish to allow or not certain clients access to certain subnets why not investigate split-tunneling ACLs and vpn-filter in combination with ACS rather then going for dACL.

View solution in original post

Kevin Morales · ‎06-11-2010

I have the same problem, please help!!!

shahedvoicerite · ‎06-16-2010

I too posted a new question with exactly the same issue.

Marcin Latosiewicz · ‎06-16-2010

Easiest way to implement downloadbale ACLs is via VPN + auth-proxy (on router) or cut-through proxy (ASA/PIX/FWSM).

What are other requirements you might have for this setup?

martinwicher · ‎06-19-2010

I think the auth-proxy feature is not the right think for me, because I dont want to use a kind of browser authentication. But thanks for your suggestion. Better than nothing ;-)

I am a step further now.

I set up a test szenario with GNS and VMware on my notebook and tested the DACL-feature there. After an hour of implementation it works now. There is no difference to my real configuration. The groups on the ACS servers are also equal.

In the virtualization in GNS I use an 3725 and in real environment there is an 3825 instead. The IOS-versions are the same. The 3725 works correct, the ACLs are downloaded and are working. The 3825 downloads the ACLs but there are not working. Perhaps there are not applied.

Are there any solution thoughts??

Marcin Latosiewicz · ‎06-20-2010

It would help if we know the GOAL of what you're trying to do ...

AFAIR in mode config client does not request ACLs for filtering short of split tunnel ACLs ... and I don't have means to test right now.

If you wish to allow or not certain clients access to certain subnets why not investigate split-tunneling ACLs and vpn-filter in combination with ACS rather then going for dACL.

martinwicher · ‎06-20-2010

Thanks for your help.

Your hints were very helpful. As I mentioned before I solved the problems with av-pairs and command "ipsec:inacl=". I think you mean that with split-tunneling ACLs.

Problem is solved!!!

Martin Bosch · ‎06-25-2010

Hi martinwicher,

Can you give a little more info on how you solved your problem plz?

Amir Mehri · ‎01-17-2011

Hello Dear Martin

I exactly have the same problem, please tell me how i can solve my problem. i realy can't find any documnets about it.

any help would be appreciate

Marcin Latosiewicz · ‎01-17-2011

Amir,

What is exactly failing in your case and where and what have you configured + how have you been debugging so far?

ipsec:inacl is the way to download ACLs in case of IPsec.

Marcin