Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL Assignment via Radius Cisco AV Pair

Hello All,

I am attempting to assign ACLs to inbound access switch-ports via radius.  I am using ACS 5.4 as my radius server and am testing on a 4948 switch running 15.0(2)SG3.  I currently have an authorization profile created that is associated with the users who are connecting.  I have configured the following radius attributes to send upon authentication:

8-7-2013 9-09-54 AM.jpg

On the switch I can see the radius attributes getting assigned (although it does say in the debug logs ignoring unknown radius attribute).  If I do a "sh authentication sessions interface gx/x" I see that the ACLs are being applied:

FLM_TESTSWI001#sh authentication sessions interface g1/5
            Interface:  GigabitEthernet1/5
          MAC Address:  1803.731b.b6a8
           IP Address:  10.67.37.216
            User-Name:  18-03-73-1B-B6-A8
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  36
         Per-User ACL:  permit udp any eq bootpc any eq bootps
         Per-User ACL:  permit icmp any any
         Per-User ACL:  permit ip any 10.66.0.0 0.0.255.255
         Per-User ACL:  permit ip any 10.82.0.0 0.0.255.255
         Per-User ACL:  deny ip any any
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A43240C0000004D4873BC3D
      Acct Session ID:  0x00000409
               Handle:  0xD400004E

Runnable methods list:
       Method   State

       mab      Authc Success
       dot1x    Not run

But when I test from the host it is not restricting access, I am able to get to anywhere on the network.  Anyone have any suggestions?

Cheers,

Brian

1 REPLY
New Member

ACL Assignment via Radius Cisco AV Pair

The only way I could get this to work is have the ACS server reference an ACL configured on the switch via name or number and send in the filter-id attribute.  On the switch I configured the default setting for attribute 11 to apply inbound "

radius-server attribute 11 default direction in".  If you do a "sh authentication sessions interface gx/x" it'll show the filter-ID setting but if you do a "show ip interface gx/x" it still shows the default-acl being applied.  It works, just a bit confusing because of that default-acl still showing up.  Anyone else experience the same?

2073
Views
0
Helpful
1
Replies
CreatePlease to create content