I am attempting to assign ACLs to inbound access switch-ports via radius. I am using ACS 5.4 as my radius server and am testing on a 4948 switch running 15.0(2)SG3. I currently have an authorization profile created that is associated with the users who are connecting. I have configured the following radius attributes to send upon authentication:
On the switch I can see the radius attributes getting assigned (although it does say in the debug logs ignoring unknown radius attribute). If I do a "sh authentication sessions interface gx/x" I see that the ACLs are being applied:
FLM_TESTSWI001#sh authentication sessions interface g1/5 Interface: GigabitEthernet1/5 MAC Address: 1803.731b.b6a8 IP Address: 10.67.37.216 User-Name: 18-03-73-1B-B6-A8 Status: Authz Success Domain: DATA Oper host mode: multi-domain Oper control dir: both Authorized By: Authentication Server Vlan Policy: 36 Per-User ACL: permit udp any eq bootpc any eq bootps Per-User ACL: permit icmp any any Per-User ACL: permit ip any 10.66.0.0 0.0.255.255 Per-User ACL: permit ip any 10.82.0.0 0.0.255.255 Per-User ACL: deny ip any any Session timeout: N/A Idle timeout: N/A Common Session ID: 0A43240C0000004D4873BC3D Acct Session ID: 0x00000409 Handle: 0xD400004E
Runnable methods list: Method State
mab Authc Success dot1x Not run
But when I test from the host it is not restricting access, I am able to get to anywhere on the network. Anyone have any suggestions?
The only way I could get this to work is have the ACS server reference an ACL configured on the switch via name or number and send in the filter-id attribute. On the switch I configured the default setting for attribute 11 to apply inbound "
radius-server attribute 11 default direction in". If you do a "sh authentication sessions interface gx/x" it'll show the filter-ID setting but if you do a "show ip interface gx/x" it still shows the default-acl being applied. It works, just a bit confusing because of that default-acl still showing up. Anyone else experience the same?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :