Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RADIUS downloadable ACL and AV pair

Hello,

in cisco doc (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration85/guide/access_aaa.html#wp1053730) is written:

Merges a downloadable ACL with the ACL received in the Cisco AV pair from a RADIUS packet. The default setting is

no merge dacl,  which specifies that downloadable ACLs will not be merged with Cisco AV  pair ACLs. If both an AV pair and a downloadable ACL are received, the  AV pair has priority and is used.

If both, downloadable ACL (DACL=dacl-ext-user-inside) and predefined ACL using Filter-ID (SACL=vpn-acl-general-inside) is configured in my environment, only DACL is applied (oposite to cisco doc). When I remove DACL from RADIUS configuration, only SACL is applied (that's correct). Here is part of RADIUS log:

Authentication Result

User-Name=external

Filter-ID=vpn-acl-general-inside     <<<< SACL

Class=CACS:ACS-horol/126102282/51

cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-dacl-ext-user-inside-4fb4b7ee  <<<<< DACL

CVPN3000/ASA/PIX7.x-IPSec-Banner1=Profile2: External user from inside

CVPN3000/ASA/PIX7.x-IPSec-Split-Tunnel-List=vpn-split-ext-user-inside

CVPN3000/ASA/PIX7.x-IPSec-Split-Tunneling-Policy=Split tunneling

CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools=vpn-pool-ext-user

(^^ the same I can see in debug radius, or debug ipsec on asa).

It's a bug or 'feature'?

SW versions in my lab: ASA 8.4(3), ACS 5.3 (trial version)

--

martin

2498
Views
0
Helpful
0
Replies
CreatePlease to create content