https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360820#M89082 <HTML><HEAD></HEAD><BODY><P>If you have a tacacs solution you can move this integration over to there. However you will need to doublecheck all attributes and profiles to make sure the same users isnt gaining full access to any other device if TACACS is used as your centralized administration authority.</P><P></P><P>Thanks,</P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Tue, 31 Dec 2013 07:39:37 GMT Tarik Admani 2013-12-31T07:39:37Z https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360817#M89076 <P>Hi,</P><P>I'm deploing auth-proxy services on my ISR 1861. I'm using a Cloudessa public RADIUS Service.</P><P>It works fine. I'have only one problem. It seems that in group policies i can define only one string attribute Cisco-AVPair string.</P><P>I try to explain better .. I can choice all RFC and Vendor well known attributes ... i can select multiple&nbsp; types attribute (Session-Timeout, Service-Type, and so on ...) and i can insert the desired value for each of these attributes ... attributes are correctely sent to Router (debug radius). If i insert Cisco-AVPair attribute i can insert a string with attribute in single line ... for example auth-proxy:priv-lvl=15 (mandatory) ... but i can't add another&nbsp; Cisco-AVPair attribute string to add ACL ...</P><P></P><P>for example</P><P></P><P>auth-proxy:proxyacl#1=deny ip any 62.149.128.40</P><P>auth-proxy:proxyacl#2=permit ip any any</P><P></P><P>so the question is ...</P><P></P><P>Is there a way to insert in a single&nbsp; Cisco-AVPair attribute string for example:</P><P></P><P></P><P>auth-proxy:priv-lvl=15 </P><P>auth-proxy:proxyacl#1=deny ip any 62.149.128.40</P><P>auth-proxy:proxyacl#2=permit ip any any</P><P></P><P>in order to instruct the router to use it ?</P><P></P><P>I'v tried using &lt;R&gt; or \r ... comma&nbsp; and space with and without double quotes</P><P></P><P>auth-proxy:priv-lvl=15&lt;R&gt;auth-proxy:proxyacl#1=deny ip any 62.149.128.40</P><P>"auth-proxy:priv-lvl=15" &lt;R&gt;a "uth-proxy:proxyacl#1=deny ip any 62.149.128.40"</P><P>auth-proxy:priv-lvl=15,auth-proxy:proxyacl#1=deny ip any 62.149.128.40</P><P>"auth-proxy:priv-lvl=15";auth-proxy:proxyacl#1=deny ip any 62.149.128.40"</P><P>... and so on</P><P></P><P>but nothing it seems to works fine.</P><P></P><P>I've opened a tocket to Cloudessa and i'm awaitng for a response ...</P><P></P><P></P><P>someone can help me ?</P><P></P><P>is it possibile define multiple attributes in ona string ?</P><P></P><P>Thank you very much</P> Mon, 11 Mar 2019 04:13:23 GMT https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360817#M89076 gdelpanta 2019-03-11T04:13:23Z https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360818#M89077 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It looks as if the radius dictionary for the cisco-av-pair should support multiple attributes, there is even an example on how to acheive this in the guide (a little dated ACS 4.0).</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ad.html#wp168530">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ad.html#wp168530</A></P><P></P><P>In most of my designs for auth-proxy I have had to enter each cisco-av-pair with each proxy-acl#1...statement so it seems to me as if there maybe a bug in your radius solution not allowing as many cisco-av-pair in your authorization profile.</P><P></P><P>Thanks,</P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Tue, 31 Dec 2013 06:25:20 GMT https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360818#M89077 Tarik Admani 2013-12-31T06:25:20Z https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360819#M89078 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P>Thank you ...</P><P></P><P>You are right ... it's a for sure a Radius limitation. I've already wirtten to Cloudessa support ... i written to Cisco Support Forum too wishing for a workaround or a way to insert multiple AV row in a single entry.</P><P></P><P>If multiple AV Pair in a single strin entry and Caloudessa doesn't fix i'm stucked ...</P><P></P><P>Cloudessa is the only free Radius as Service found in Internet ... </P><P></P><P>thank you again.</P></BODY></HTML> Tue, 31 Dec 2013 07:29:15 GMT https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360819#M89078 gdelpanta 2013-12-31T07:29:15Z https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360820#M89082 <HTML><HEAD></HEAD><BODY><P>If you have a tacacs solution you can move this integration over to there. However you will need to doublecheck all attributes and profiles to make sure the same users isnt gaining full access to any other device if TACACS is used as your centralized administration authority.</P><P></P><P>Thanks,</P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Tue, 31 Dec 2013 07:39:37 GMT https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360820#M89082 Tarik Admani 2013-12-31T07:39:37Z https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360821#M89083 <P>Reply attribute should use a += operator for additional avpairs:</P> <P>&nbsp;</P> <PRE style="border: 0px; font-family: 'Courier 10 Pitch', Courier, monospace; margin-bottom: 1.625em; outline-width: 0px; padding: 0.75em 1.625em; vertical-align: baseline; font-stretch: normal; line-height: 1.5; overflow: auto; color: rgb(55, 55, 55); background: rgb(244, 244, 244);"> admin Cleartext-Password := 1234QWer Service-Type = Administrative-User, Cisco-AVPair = "shell:roles=network-admin", Cisco-AVPair += "shell:priv-lvl=15" ops Cleartext-Password := 1234QWer Service-Type = NAS-Prompt-User, Cisco-AVPair = "shell:roles=network-operator", Cisco-AVPair += "shell:priv-lvl=1" tom Auth-Type := System Service-Type = Administrative-User, Cisco-AVPair = "shell:roles=network-admin", Cisco-AVPair += "shell:priv-lvl=15"</PRE> <P>&nbsp;</P> <P>From&nbsp;http://www.layerzero.nl/blog/2013/05/using-freeradius-with-cisco-devices/</P> <P>&nbsp;</P> Wed, 19 Nov 2014 00:52:18 GMT https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360821#M89083 adolcabr 2014-11-19T00:52:18Z https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360822#M89084 <P>Hi,</P> <P></P> <P>Did you manage to send multiple &nbsp;AV pairs from cloudessa to cisco eqipement?</P> <P>I am facing the same issue with proxy acl.</P> <P></P> <P>Regards,</P> <P>Branimir Turk</P> Tue, 09 Feb 2016 12:58:52 GMT https://community.cisco.com/t5/network-access-control/cisco-avpair-multiple-attributes-in-a-string/m-p/2360822#M89084 Branimir Turk 2016-02-09T12:58:52Z