12-12-2010 04:24 AM - edited 03-10-2019 05:38 PM
Dear all
I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
This authrization profile is used on access policy.
I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
Steps:
11001 Received RADIUS Access-Request |
11017 RADIUS created a new session |
11025 The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected |
11003 Returned RADIUS Access-Reject |
DACL:
deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
permit ip any any log
Thanks on advance,
Solved! Go to Solution.
12-12-2010 11:36 AM
You need to have "radius-server vsa send" configured on your switch and I would bet it's not configured :-)
Hope this helps.
Nicolas
===
don't forget to rate answers that you find useful
12-12-2010 11:34 AM
Hi Ahmad,
This usually happens when the AAA client (the switch in your setup) is not sending the expected attributes.
Can you please make sure you have the command "radius-server vsa send" on the switch?
This command will make the switch to send the required Vendor Specific Attributes (VSAs) that the ACS needs to return the dACL.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-12-2010 11:38 PM
Dear Tiago
I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
Dec 13,10 10:29:00.513 AM | - | 00-23-AE-7A-58-A6 | Lookup | 1.2.3.4 | TESTACS | 22056 Subject not found in the applicable identity store(s). | |||||||
Dec 13,10 10:28:29.186 AM | - | 1.2.3.4 | TESTACS | ||||||||||
Dec 13,10 10:28:28.726 AM | - | 00-23-AE-7A-58-A6 | PEAP (EAP-MSCHAPv2) | 1.2.3.4 | TESTACS |
Thanks,
12-13-2010 02:05 AM
How are you checking that dACL is present ? Does it shows up in show access-list ?
12-13-2010 10:17 PM
Dear Bastien
It doesn't appear on the switch but from the ACS logs (table above), you can see the authenication is permitted for both the username and the ACL.
Thanks for your help,
12-13-2010 02:11 AM
Hi,
Can you please get the debugs:
debug radius
debug authentication all
debug dot1x all
Also, please include the interface configuration.
And share them with us, so we see what is going wrong.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-13-2010 10:14 PM
Dear Tiago
Please find the attached file conatins the debugs and interface configuration.
Also Check this Authentication troubleshoot:
Troubleshooting Summary |
Thanks,
03-29-2017 03:15 AM
Hi, I had a similar problem but I was using ISE, and a was receiving this event "5419 DACL Download Failed"
After write down the comand radius-server vsa send, problem solved.
Thanks Guys!
Regards
Bráulio Castigo
12-12-2010 11:36 AM
You need to have "radius-server vsa send" configured on your switch and I would bet it's not configured :-)
Hope this helps.
Nicolas
===
don't forget to rate answers that you find useful
12-13-2010 10:30 PM
I did update for a nother disscussion here, So I deleted
sorry
12-18-2010 09:04 PM
Dear All
Any update? I upload the debugs and interface configuration.
Any help is appreciated.
Thanks,
04-11-2012 03:38 AM
dACLs should contain host part as "any" otherwise it wouldn't work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide