Hello Community,

I am trying to achive the following scenario:

RADIUS requests from "staging Client" should be forwarded to our LAB-ISE.

Sounds simple? Yes, and it works till the point the ACCESS-ACCEPT with a dACL is send back to the Authenticator and the Authenticator tries to download the dACL. At least I can say, the redirection of the request and the external authentication/authorization works fine. 

The dACL remains problematic in this case. I already traced and tcpdump'd in that matter and tried to develop a conditions to match the ACCESS-REQUEST for the dACL download.

On a packet level I have the following fields to filter upon:

- Cisco AV-Pairs (aaa:service=ip_admission, val=aaa:event=acl-download)
- Message-Authenticator
- User-Name (with the dACL name in it)
- NAS-IP-Address

I tried my best to match the dACL name to initiate a redirect to the LAB-ISE, I would add something to identify the request by the name. 

I already tried the Condition "Radius:User-Name" equals "#ACSACL#-IP-this_very_good_default-3938d9" (along with other operators) or "NetworkAccess:UserName" but that did not work. Redirecting by "NAS-IP-Address" also had no success.

Then I made an endpoint debug to spot any errors/misspellings and the debug output the fieldname sometimes was "UserName".

My customer wants to test their clients anywhere in our infrastructure without changing network devices and without simply trusting the test CA on our production env. 

I am very curious if someone already ran into the same problem and how it was solved. Do I have to escape something in the string to be able to match it or is it even possible?

Thank you for your help