Problem with applying inbound acl using filter-id

a.tong · ‎09-27-2006

Hi All,

We have a NAS (AS5350) to provide dialup service for branch offices. Cisco ACS 4.0 (Radius) is used as the AAA sever. We would like to apply acl to the dialup client to control the access by using filter-id attribute. The acl can be applied and it works fine in outbound but it has problem when applying to the inbound using acl#.in. From the debug ip icmp of the NAS, the message "ICMP: dst (10.3.54.2) administratively prohibited unreachable sent to 10.3.54.50" is displayed and the dialup client is not able to reach the NAS and the network behind. "Destination is unreachalbe" is return when trying to ping the NAS server from the dialup client.

For your information, below is the sample output of "sh ip int"

Async1/04 is up, line protocol is up

Interface is unnumbered. Using address of Loopback0 (10.3.54.2)

Broadcast address is 255.255.255.255

Peer address is 10.3.54.50

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is 110, default is not set

Proxy ARP is enabled

....

The IOS version of AS5350 is 12.4(5b). Any idea? Thanks in advance.

Anthony

gbatra · ‎09-29-2006

Hi Anthony,

If I understand correctly you want to assign ACL to user's dialing in to AS5350 using the filter-id attribute.

Note there are a few ways for ACS to handle ACLs.

1. RADIUS attr 11, filter-id. In this case the ACL(s) are defined on

the client(s) already; all ACS does is specify which one to use for a

given user by handing down attr 11.

2. cisco av-pair. The ACL is configured on ACS via the RADIUS cisco av-pair attribute [26/9/1], per user or group. Again, these are sent via the RADIUS Access-Reply.

3. Downloadable ACLs. Again the ACLs are configured on ACS, per user or group.

So in your case is the ACL defined on the NAS, what value have you specified in the Filter-id attribute.

Can you send me the following debug output

debug aaa authen

debug aaa authorization

debug radius

term mon

I hope this helps.

Thanks

Gagan

a.tong · ‎09-29-2006

Hi Gagan,

Exactly, we choose the 1st method in order to be compatible with old configuration. The access-lists are defined in the NAS and the attribute filter-id is passed to it when dialup client is successfully connected.

I only have previous output of "debug radius" for your reference now and will send other debug information for you later. See if you could figure out the problem from the attached log.

Appreciate very much for your help

With Best Regards,

Anthony

gbatra · ‎09-29-2006

Hi Anthony,

Not much can be learned from the debugs as per them the attribute is sent to the NAS in the access-accept packet.

Can you send me the running configuration of the AS together with the ACL name which you are trying to push from ACS.

Also are you configuring the Cisco av-pair attribute.

Thanks

Gagan

a.tong · ‎09-29-2006

Hi Gagan,

Sure, the running configure and screen caputer of the filter-id attribute are in the attachment.

I tried to configure the Cisco av-pair attribute for testing purpose but they had been removed.

With Best Regards,

Anthony

gbatra · ‎10-02-2006

Hi Anthony,

The radius configuration looks perfect and even we have the list defined on the NAS , can you enter the following command in the configuration.

aaa authorization exec default group radius local.

and can also refer to the following url for ACL application.

http://www.cisco.com/warp/public/480/radius_ACL1.html#server_cfg

Please do send me the following debug output

debug aaa authen

debug aaa authorization

debug radius

debug ppp negotiation

term mon

Thanks

Gagan

a.tong · ‎10-05-2006

Hi Gagan,

I was able to test the configuration today and captured the output for your reference.

The following command "aaa authorization exec default group radius local" was added before capturing the output.

It seemed that if the acl is applied in inbound, all traffic are blocked and icmp message was given. So, I guessed there is some security setting to avoid acl to be applied to inbound of the async interface. But can't find any document mention about this.

Anyway, thanks for your help!

Anthony