Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
5
Helpful
1
Replies

downloadable acl acs 5.6

Eugene Khabarov
Level 7
Level 7

‎02-09-2015 06:07 AM - edited ‎03-10-2019 10:25 PM

Hi, all! Is it possible to make downloadable ACL works with Cisco IOS L2TP/PPTP server and Cisco Secure ACS 5.6? I'm getting attribute according to ppp negotiation, but nothing happens:

000563: *Feb  9 13:50:34.676 MSK: ALLOC-FREE: AAA/ATTR(0000000F): del attr: sublist(0x87CB9690) index(1): 87CB96CC 0 00000081 CiscoSecure-Defined-ACL(826) 31 #ACSACL#-IP-RESTRICTED-56d0d142

#debug aaa authorization 
AAA Authorization debugging is on

003042: *Feb  9 14:35:40.378 MSK: AAA/BIND(00000016): Bind i/f  
003043: *Feb  9 14:35:40.382 MSK: AAA/BIND(00000016): Bind i/f Virtual-Template2 
003044: *Feb  9 14:35:40.594 MSK: ERROR: AAA/ATTR: invalid attribute prefix: "ACS"
003045: *Feb  9 14:35:40.606 MSK: AAA/BIND(00000016): Bind i/f Virtual-Access2.1 

 

I know about CSCsz52486 but I'm using C880 Software (C880DATA-UNIVERSALK9-M), Version 15.3(3)M5. Is it affected?

I can't use cisco-avpair="ip:inacl#" since my ACL more than 4096  bytes (max per RFC 2865 for radius attributes) in summary and I can't apply it correctly with this attribute #11.

Maybe Cisco will implement https://tools.ietf.org/html/draft-perez-radext-radius-fragmentation-01 in the future?

Thank you in advance.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

xavicespedesios
Level 1
Level 1

‎02-13-2015 07:25 AM

Also, it could be great to allow Radius Over TCP ( then no limit with 4096 Bytes ):

http://tools.ietf.org/html/rfc6613

And RadSec

Thank you!!

Customers Also Viewed These Support Documents