cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6976
Views
0
Helpful
1
Replies

Downloadable ACLs ACS 5.2

cpfl_vzuben
Level 1
Level 1

Hi all,

How many ACL lines is possible configure in downloadable ACLS in ACS 5.2?

Best Regards

Evandro.

1 Accepted Solution

Accepted Solutions

Tiago Antunes
Cisco Employee
Cisco Employee

Hi,

In ACS 5.x you have 2 ways of sending ACLs, and one has limit and the other not.

The limit is imposed by the maximum size of 4096 byte that a RADIUS packet can have.

Option 1 - Cisco VSAs. Supported by old IOS releases.

Basically you need to use Cisco VSAs in the format like example:

ip:inacl#100=permit udp any any eq bootps

ip:inacl#200=permit udp any any eq domain

ip:inacl#300=permit ip any host 192.168.80.2

ip:inacl#400=permit ip host 192.168.80.2 any

ip:inacl#500=deny ip any any

1) Go to:" Policy Elements > ... > Authorization and  Permissions  > Network Access > Authorization Profiles >  Create and on the "Common Tasks" make sure you do not use downloadable ACL name (see screenshot).

2) Then on the RADIUS Attribute tab enter the ACL line by line (see screenshot).

Then you link the Authorization profile to the Access Service.

Step 1:

Step 2:

Option 2 - dACLs. Here the ACL is fragmented in several RADIUS packets if needed. This is supported by the IOS devices on latest IOS releases: 12.2(33)SXI on the Catalyst 6500, Catalyst 4500 release 12.2(50)SG and then on the Catalyst  3750/3560 and 2960 families on  12.2(50)SE.

1)    Go to: "Policy Elements >  Authorization and Permissions  > Named Permission Objects > Downloadable ACLs" and create dACL (see screenshot).
2)    Go to:" Policy Elements > ... > Authorization and Permissions  > Network Access > Authorization Profiles > Create" and link the dACL to the Authorization profile (see screenshot).
Then you link the Authorization profile to the Access Service.

Step 1:

Step 2:

Full configuration example:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html.

Hope this helps,

Tiago

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

View solution in original post

1 Reply 1

Tiago Antunes
Cisco Employee
Cisco Employee

Hi,

In ACS 5.x you have 2 ways of sending ACLs, and one has limit and the other not.

The limit is imposed by the maximum size of 4096 byte that a RADIUS packet can have.

Option 1 - Cisco VSAs. Supported by old IOS releases.

Basically you need to use Cisco VSAs in the format like example:

ip:inacl#100=permit udp any any eq bootps

ip:inacl#200=permit udp any any eq domain

ip:inacl#300=permit ip any host 192.168.80.2

ip:inacl#400=permit ip host 192.168.80.2 any

ip:inacl#500=deny ip any any

1) Go to:" Policy Elements > ... > Authorization and  Permissions  > Network Access > Authorization Profiles >  Create and on the "Common Tasks" make sure you do not use downloadable ACL name (see screenshot).

2) Then on the RADIUS Attribute tab enter the ACL line by line (see screenshot).

Then you link the Authorization profile to the Access Service.

Step 1:

Step 2:

Option 2 - dACLs. Here the ACL is fragmented in several RADIUS packets if needed. This is supported by the IOS devices on latest IOS releases: 12.2(33)SXI on the Catalyst 6500, Catalyst 4500 release 12.2(50)SG and then on the Catalyst  3750/3560 and 2960 families on  12.2(50)SE.

1)    Go to: "Policy Elements >  Authorization and Permissions  > Named Permission Objects > Downloadable ACLs" and create dACL (see screenshot).
2)    Go to:" Policy Elements > ... > Authorization and Permissions  > Network Access > Authorization Profiles > Create" and link the dACL to the Authorization profile (see screenshot).
Then you link the Authorization profile to the Access Service.

Step 1:

Step 2:

Full configuration example:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html.

Hope this helps,

Tiago

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.