Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
5
Helpful
1
Replies

downloadable acl acs 5.6

Eugene Khabarov
Level 7
Level 7

‎02-09-2015 06:07 AM - edited ‎03-10-2019 10:25 PM

Hi, all! Is it possible to make downloadable ACL works with Cisco IOS L2TP/PPTP server and Cisco Secure ACS 5.6? I'm getting attribute according to ppp negotiation, but nothing happens:

000563: *Feb  9 13:50:34.676 MSK: ALLOC-FREE: AAA/ATTR(0000000F): del attr: sublist(0x87CB9690) index(1): 87CB96CC 0 00000081 CiscoSecure-Defined-ACL(826) 31 #ACSACL#-IP-RESTRICTED-56d0d142

#debug aaa authorization 
AAA Authorization debugging is on

003042: *Feb  9 14:35:40.378 MSK: AAA/BIND(00000016): Bind i/f  
003043: *Feb  9 14:35:40.382 MSK: AAA/BIND(00000016): Bind i/f Virtual-Template2 
003044: *Feb  9 14:35:40.594 MSK: ERROR: AAA/ATTR: invalid attribute prefix: "ACS"
003045: *Feb  9 14:35:40.606 MSK: AAA/BIND(00000016): Bind i/f Virtual-Access2.1 

 

I know about CSCsz52486 but I'm using C880 Software (C880DATA-UNIVERSALK9-M), Version 15.3(3)M5. Is it affected?

I can't use cisco-avpair="ip:inacl#" since my ACL more than 4096  bytes (max per RFC 2865 for radius attributes) in summary and I can't apply it correctly with this attribute #11.

Maybe Cisco will implement https://tools.ietf.org/html/draft-perez-radext-radius-fragmentation-01 in the future?

Thank you in advance.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

xavicespedesios
Level 1
Level 1

‎02-13-2015 07:25 AM

Also, it could be great to allow Radius Over TCP ( then no limit with 4096 Bytes ):

http://tools.ietf.org/html/rfc6613

And RadSec

Thank you!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents