Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Downloadable ACL with AS5350

Hi

Anybody knows if Downloadable ACL's with the AS5350 and ACS work? I tried it with ACS 3.3 and IOS 12.3(11)T11, because i red that this feature should be supportet on IOS from 12.3(8)T on. But it doesn't work. When I debug the radius authorization, i get the following error:

Feb 5 12:23:39.994: RADIUS: Cisco AVpair [1] 62 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-RAS_default-45c7006e"

Feb 5 12:23:39.994: AAA/ATTR: unrecognized attribute prefix: "ACS" (WARNING)

Looks like the AS5350 doesn't understand this attribute. Anybody knows anything helpfull?

Best regards

Simon

1 REPLY
New Member

Re: Downloadable ACL with AS5350

Hi Simon,

I cannot speak to Downloadable ACL's with the AS5300 product, as I have never done it, however, I have successfully implemented Dynamic inbound acl's on a per user and per group based for dial access with TACACS+ on ACS 3.1 with an AS5300. With this option, you enable "PPP IP" and "Custom attributes" within the TACACS+ Settings section of the group or user, then define the access list you wish to implement. Syntax is important, and below is an example of the format allowing a source subnet to a host for port ssh (Note: this is dynamic acl syntax, not downloadable acl syntax):

inacl#1=permit ip x.x.x.x 0.0.0.255 host y.y.y.y eq 22

In addition, one other pre-requisite with this option is that the ACS local database must be used (you cannot use LDAP or integrate with AD).

Now, if this does not help and you must use Downloadable ACL's, please see the following URLs/PDFs that may be helpful:

http://www.cisco.com/application/pdf/en/us/guest/products/ps6439/c2001/ccmigration_09186a008053d5e4.pdf

Warning on Vulnerability with ACS 3.0-3.3.3:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00805bf1c4.shtml

Hope this helps, if so please rate.

Thanks,

-Scott

253
Views
1
Helpful
1
Replies
CreatePlease to create content