Re: DACL from ACS 4.0 to Cisco IOS

tedtsakrilis · ‎02-16-2007

Cisco ACS Documentation claims that Cisco devices running IOS version 12.3(8)T or greater support Downloadable IP ACLs.However is almost impossible to find a documentation regarding this configuration.The only documentation available are those describing DACL to PIX or ASA but there shouldnt be any difference with the DACLs to IOS configuration.Thus, i really wanted to know if there is anyone who actually managed to make this work and if you have any idea what might be the reason mine configuration have failed it would be much appreciated.

IPsec Remote Access Using Preshared Key

VPN Client:4.7

transport:IPSEC/UDP

Cisco Router: 3640

Cisco IOS:Version 12.3(11)T10

AAA:Radius(ACS)

ACS version 4.0 for windows

Router configuration:

aaa authentication login userauthen group radius

aaa authorization network groupauthor group radius

aaa accounting update periodic 1

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop broadcast group radius

aaa accounting connection default start-stop group radius

aaa accounting system default start-stop group radius

aaa accounting resource default start-stop group radius

aaa session-id common

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

no crypto isakmp ccm

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap client accounting list default

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

radius-server host x.x.x.x auth-port 1645 acct-port 1646

radius-server key xxxxxxxx

radius-server vsa send accounting

radius-server vsa send authentication

ACS Configuration:

Here i just created a Downloadable access list and gave the following rule: "permit icmp any any" and name:"test".

Next i opened a user's setting and checked the box "Assign IP ACL" and chose the name of the DACL i created.

Am i missing something here?

When the ACS is authenticating the user it seems from the "debug radius authentication" that ACS sends the DACL "test" to the router:

Feb 16 22:28:32.402: RADIUS: Cisco AVpair [1] 59 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-test-45d6210d"

However when i enter the command sh access lists i dont see the access list #ASCACL#(btw i havent configured any other acl on the router) and ofcourse the user has unlimited access to the network(it should have only icmp)

Thanks in advance for your time

darpotter · ‎02-19-2007

Cant help with the IOS specifics... but a very easy test is to see whether IOS asks ACS for the ACL content.

If it does you'll see another authentication request with the ACL name as the username. If you dont you know its an IOS issue.

There was also a security hold fixed in DACLs sometime back where a requirement was added for the device to add a message-authenticator attribute. So if you see any complaints from ACS it could be that issue.

magurwara · ‎03-01-2007

I am trying on PIX and failing. Get the following message:

"can't find authorization ACL". There is nothing in ACS suggesting that PIX asked for the ACL. However user authentication is successful.

Any ideas.....

magurwara · ‎03-01-2007

Update.....

I do see in ACS logs that Authentication failed for ACL where username is the ACL name sent by PIX. (#ACSACL#-IP-myACL-45e6c605).

The failure code is "DACL request from device is not acceptable"

I guess ACS is rejecting the request, but WHY?

Vivek Santuka · ‎03-03-2007

Hi,

With ACS 4.x you need PIX 6.3.5 or 7.0.2+ for DACLs to work.

Regards,

Vivek

magurwara · ‎03-05-2007

Thanks. Upgrading the PIX to 6.3.5 resolved the issue.

darrengrey · ‎03-22-2007

do see in ACS logs that Authentication failed for ACL where username is the ACL name sent by PIX. (#ACSACL#-IP-myACL-45e6c605).

The failure code is "DACL request from device is not acceptable"

Hi - I am getting this exact same error message, I have recently upgraded from ACS V3.2 to ACS V4.0. I am getting this message from a (Cisco VPN 3000/ASA/PIX 7.x+)

Any ideas how to resolve this - it worked fine on V3.2 ?

Thanks

Vivek Santuka · ‎03-26-2007

Hi,

Which device and what version are you using ?

Regards,

Vivek

ralfdechent · ‎10-30-2007

Hi,

I have configured DACL on a router c2821 with installed ios "adventerprisek9-m.12.4.4.T". The download from ACS to the router will work, but if the ACL on the Cisco ACS is modified, these changes will not properly move to the router.

Did you meanwhile fix your problem and can you give me a working config?

regars

Ralf

dkelemen1 · ‎10-25-2008

Hi Ralf,

I am trying almost whole week how to force my router, with same IOS as Yours, to work with ACS and DACL but unsuccessfuly. I'm little confused, do I need aaa authorization filterserver command or not? Would You, please, send me your router config....

Darko,

regards

ariantow123 · ‎01-29-2009

Hi,

I got the same problem. Does anyone give some suggestion about other router, IOS, and ACS type/series that can do DACL ?

I tried c2691, c2691-advsecurityk9-mz.124-9.T5, and ACS 4.2 but it doesn't work.