Solved: dacl on ACS 5.1 and Catalyst switch 3560

Ahmad Samir · ‎12-12-2010

Dear all

I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.

This authrization profile is used on access policy.

I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)

Steps:

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

11025 The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected

11003 Returned RADIUS Access-Reject

DACL:

deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log

permit ip any any log

Thanks on advance,

Nicolas Darchis · ‎12-12-2010

You need to have "radius-server vsa send" configured on your switch and I would bet it's not configured :-)

Hope this helps.

Nicolas

===

don't forget to rate answers that you find useful

View solution in original post

Tiago Antunes · ‎12-12-2010

Hi Ahmad,

This usually happens when the AAA client (the switch in your setup) is not sending the expected attributes.

Can you please make sure you have the command "radius-server vsa send" on the switch?

This command will make the switch to send the required Vendor Specific Attributes (VSAs) that the ACS needs to return the dACL.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Ahmad Samir · ‎12-12-2010

Dear Tiago

I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.

Dec 13,10 10:29:00.513 AM

-

00-23-AE-7A-58-A6

Default Network Access

Lookup

Dot1x-3560-Switch

1.2.3.4

FastEthernet0/5

TESTACS

22056 Subject not found in the applicable identity store(s).

Dec 13,10 10:28:29.186 AM

-

#ACSACL#-IP-Guest-4cfcc14d

Dot1x-3560-Switch

1.2.3.4

TESTACS

Dec 13,10 10:28:28.726 AM

-

acstest

00-23-AE-7A-58-A6

Default Network Access

PEAP (EAP-MSCHAPv2)

Dot1x-3560-Switch

1.2.3.4

FastEthernet0/5

TESTACS

Thanks,

Bastien Migette · ‎12-13-2010

How are you checking that dACL is present ? Does it shows up in show access-list ?

Ahmad Samir · ‎12-13-2010

Dear Bastien

It doesn't appear on the switch but from the ACS logs (table above), you can see the authenication is permitted for both the username and the ACL.

Thanks for your help,

Tiago Antunes · ‎12-13-2010

Hi,

Can you please get the debugs:

debug radius

debug authentication all

debug dot1x all

Also, please include the interface configuration.

And share them with us, so we see what is going wrong.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Ahmad Samir · ‎12-13-2010

Dear Tiago

Please find the attached file conatins the debugs and interface configuration.

Also Check this Authentication troubleshoot:

Troubleshooting Summary

Investigated authentication record with details:

Details

Timestamp	2010-12-14 08:33:57.51
ACSServer	TESTACS
Username	#ACSACL#-IP-Guest-4cfcc14d
MAC Address
Status	Passed
Failure Reason
Network Device Name	Dot1x-3560-Switch
Network Device IP	1.2.3.4
Identity Store
Identity Group
NAS Port ID
Audit Session ID
Authentication Method

Network Device syslogs cannot be obtained.


Details

This device does not provide Audit Session ID. Hence syslogs cannot be retrieved.

Attempted to get dACL Name from response field in authentication record. dACL name is "#ACSACL#-IP-Guest-4cfcc14d".

Retrieved "aaa authorization network" configuration from device 1.2.3.4.


Details

Found configuration: aaa authorization network default group radius

Internal error


Details

Could not find the value for the property Flow_NAS_PORT_ID

Thanks,

braulio.castigo1 · ‎03-29-2017

Hi, I had a similar problem but I was using ISE, and a was receiving this event "5419 DACL Download Failed"

After write down the comand radius-server vsa send, problem solved.

Thanks Guys!

Regards

Bráulio Castigo

Nicolas Darchis · ‎12-12-2010

You need to have "radius-server vsa send" configured on your switch and I would bet it's not configured :-)

Hope this helps.

Nicolas

===

don't forget to rate answers that you find useful

Ahmad Samir · ‎12-13-2010

I did update for a nother disscussion here, So I deleted

sorry

Ahmad Samir · ‎12-18-2010

Dear All

Any update? I upload the debugs and interface configuration.

Any help is appreciated.

Thanks,

shoaibkhan · ‎04-11-2012

dACLs should contain host part as "any" otherwise it wouldn't work.