ACL Assignment via Radius Cisco AV Pair

Brian Saunders — Mon, 11 Mar 2019 03:44:39 GMT

Hello All,

I am attempting to assign ACLs to inbound access switch-ports via radius. I am using ACS 5.4 as my radius server and am testing on a 4948 switch running 15.0(2)SG3. I currently have an authorization profile created that is associated with the users who are connecting. I have configured the following radius attributes to send upon authentication:

On the switch I can see the radius attributes getting assigned (although it does say in the debug logs ignoring unknown radius attribute). If I do a "sh authentication sessions interface gx/x" I see that the ACLs are being applied:

FLM_TESTSWI001#sh authentication sessions interface g1/5
            Interface: GigabitEthernet1/5
          MAC Address: 1803.731b.b6a8
           IP Address: 10.67.37.216
            User-Name: 18-03-73-1B-B6-A8
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-domain
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 36
         Per-User ACL: permit udp any eq bootpc any eq bootps
         Per-User ACL: permit icmp any any
         Per-User ACL: permit ip any 10.66.0.0 0.0.255.255
         Per-User ACL: permit ip any 10.82.0.0 0.0.255.255
         Per-User ACL: deny ip any any
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A43240C0000004D4873BC3D
      Acct Session ID: 0x00000409
               Handle: 0xD400004E

Runnable methods list:
Method State

mab Authc Success
dot1x Not run

But when I test from the host it is not restricting access, I am able to get to anywhere on the network. Anyone have any suggestions?

Cheers,

Brian

ACL Assignment via Radius Cisco AV Pair

Brian Saunders — Fri, 09 Aug 2013 13:23:41 GMT

The only way I could get this to work is have the ACS server reference an ACL configured on the switch via name or number and send in the filter-id attribute. On the switch I configured the default setting for attribute 11 to apply inbound "

radius-server attribute 11 default direction in". If you do a "sh authentication sessions interface gx/x" it'll show the filter-ID setting but if you do a "show ip interface gx/x" it still shows the default-acl being applied. It works, just a bit confusing because of that default-acl still showing up. Anyone else experience the same?

topic ACL Assignment via Radius Cisco AV Pair in Network Access Control

ACL Assignment via Radius Cisco AV Pair

ACL Assignment via Radius Cisco AV Pair