https://community.cisco.com/t5/network-access-control/external-radius-with-dacl/m-p/5349012#M599050 <P>Hello Community,</P><P>I am trying to achive the following scenario:</P><P>RADIUS requests from "staging Client" should be forwarded to our LAB-ISE.</P><P>Sounds simple? Yes, and it works till the point the ACCESS-ACCEPT with a dACL is send back to the Authenticator and the Authenticator tries to download the dACL. At least I can say, the redirection of the request and the external authentication/authorization works fine.&nbsp;</P><P>The dACL remains problematic in this case. I already traced and tcpdump'd in that matter and tried to develop a conditions to match the ACCESS-REQUEST for the dACL download.</P><P>On a packet level I have the following fields to filter upon:</P><P>- Cisco AV-Pairs (aaa:service=ip_admission, val=aaa:event=acl-download)<BR />- Message-Authenticator<BR />- User-Name (with the dACL name in it)<BR />- NAS-IP-Address</P><P>I tried my best to match the dACL name to initiate a redirect to the LAB-ISE, I would add something to identify the request by the name.&nbsp;</P><P>I already tried the Condition "Radius:User-Name" equals "#ACSACL#-IP-this_very_good_default-3938d9" (along with other operators) or "NetworkAccess:UserName" but that did not work. Redirecting by "NAS-IP-Address" also had no success.</P><P>Then I made an endpoint debug to spot any errors/misspellings and the debug output the fieldname sometimes was "UserName".</P><P>My customer wants to test their clients anywhere in our infrastructure without changing network devices and without simply trusting the test CA on our production env.&nbsp;</P><P>I am very <SPAN>curious if someone already ran into the same problem and how it was solved. Do I have to escape something in the string to be able to match it or is it even possible?</SPAN></P><P>Thank you for your help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Nov 2025 11:42:12 GMT IlikeTrains 2025-11-21T11:42:12Z https://community.cisco.com/t5/network-access-control/external-radius-with-dacl/m-p/5349012#M599050 <P>Hello Community,</P><P>I am trying to achive the following scenario:</P><P>RADIUS requests from "staging Client" should be forwarded to our LAB-ISE.</P><P>Sounds simple? Yes, and it works till the point the ACCESS-ACCEPT with a dACL is send back to the Authenticator and the Authenticator tries to download the dACL. At least I can say, the redirection of the request and the external authentication/authorization works fine.&nbsp;</P><P>The dACL remains problematic in this case. I already traced and tcpdump'd in that matter and tried to develop a conditions to match the ACCESS-REQUEST for the dACL download.</P><P>On a packet level I have the following fields to filter upon:</P><P>- Cisco AV-Pairs (aaa:service=ip_admission, val=aaa:event=acl-download)<BR />- Message-Authenticator<BR />- User-Name (with the dACL name in it)<BR />- NAS-IP-Address</P><P>I tried my best to match the dACL name to initiate a redirect to the LAB-ISE, I would add something to identify the request by the name.&nbsp;</P><P>I already tried the Condition "Radius:User-Name" equals "#ACSACL#-IP-this_very_good_default-3938d9" (along with other operators) or "NetworkAccess:UserName" but that did not work. Redirecting by "NAS-IP-Address" also had no success.</P><P>Then I made an endpoint debug to spot any errors/misspellings and the debug output the fieldname sometimes was "UserName".</P><P>My customer wants to test their clients anywhere in our infrastructure without changing network devices and without simply trusting the test CA on our production env.&nbsp;</P><P>I am very <SPAN>curious if someone already ran into the same problem and how it was solved. Do I have to escape something in the string to be able to match it or is it even possible?</SPAN></P><P>Thank you for your help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Nov 2025 11:42:12 GMT https://community.cisco.com/t5/network-access-control/external-radius-with-dacl/m-p/5349012#M599050 IlikeTrains 2025-11-21T11:42:12Z https://community.cisco.com/t5/network-access-control/external-radius-with-dacl/m-p/5368944#M599763 <P>I have asked TAC about this, and the answer was that these request can not be matched as they do not hit the policy set. The receiving PSN will yield the dACLs directly.</P> Tue, 10 Feb 2026 07:03:02 GMT https://community.cisco.com/t5/network-access-control/external-radius-with-dacl/m-p/5368944#M599763 IlikeTrains 2026-02-10T07:03:02Z