Problem with AnyConnect + Downloadable ACLs (ACS) on Cisco Router (IOS)

maksimmentus · ‎07-31-2014

Hi everyone!

I`m trying to configure AnyConnect with downloadable ACLs (with ACS) on Cisco router. But I have some problem with it.

I`m using:

Cisco 3925e - c3900e-universalk9-mz.SPA.152-4.M5

ACS - v4.2

I created Downloadable ACL for user on ACS, and when user tries to connect, we can see debug message on Cisco Router:

Jul 31 09:57:30.511: AAA/BIND(00000074): Bind i/f  
Jul 31 09:57:30.511: AAA/AUTHEN/LOGIN (00000074): Pick method list 'webvpn'
Jul 31 09:57:30.513: RADIUS/ENCODE(00000074):Orig. component type = SSLVPN
Jul 31 09:57:30.513: RADIUS:  AAA Unsupported Attr: interface         [221] 13  735906328
Jul 31 09:57:30.513: RADIUS/ENCODE(00000074): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Jul 31 09:57:30.513: RADIUS(00000074): Config NAS IP: 10.10.10.20
Jul 31 09:57:30.513: RADIUS(00000074): Config NAS IPv6: ::
Jul 31 09:57:30.513: RADIUS/ENCODE(00000074): acct_session_id: 1697
Jul 31 09:57:30.513: RADIUS(00000074): sending
Jul 31 09:57:30.513: RADIUS(00000074): Sending a IPv4 Radius Packet
Jul 31 09:57:30.513: RADIUS(00000074): Send Access-Request to 10.230.144.15:1645 id 1645/52,len 80
Jul 31 09:57:30.513: RADIUS:  authenticator 50 28 9E 79 6F 40 4E 75 - 2F 1B 91 9A 8C 31 06 DA
Jul 31 09:57:30.513: RADIUS:  User-Name           [1]   9   "usertest"
Jul 31 09:57:30.513: RADIUS:  User-Password       [2]   18  *
Jul 31 09:57:30.513: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Jul 31 09:57:30.513: RADIUS:  NAS-Port            [5]   6   51                        
Jul 31 09:57:30.513: RADIUS:  NAS-Port-Id         [87]  15  "109.XX.XXX.20"
Jul 31 09:57:30.513: RADIUS:  NAS-IP-Address      [4]   6   10.10.10.20             
Jul 31 09:57:30.513: RADIUS(00000074): Started 5 sec timeout
Jul 31 09:57:30.539: RADIUS: Received from id 1645/52 10.230.144.15:1645, Access-Accept, len 168
Jul 31 09:57:30.539: RADIUS:  authenticator 2B 60 62 37 01 23 60 89 - 82 93 ED 8F D5 BE 40 B9
Jul 31 09:57:30.539: RADIUS:  Tunnel-Type         [64]  6   01:VLAN                   [13]
Jul 31 09:57:30.539: RADIUS:  Tunnel-Medium-Type  [65]  6   01:ALL_802                [6]
Jul 31 09:57:30.539: RADIUS:  Tunnel-Private-Group[81]  6   01:"201"
Jul 31 09:57:30.539: RADIUS:  Vendor, Cisco       [26]  64  
Jul 31 09:57:30.539: RADIUS:   Cisco AVpair       [1]   58  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-usertest-53857d57"
Jul 31 09:57:30.539: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255           
Jul 31 09:57:30.539: RADIUS:  Vendor, Cisco       [26]  35  
Jul 31 09:57:30.539: RADIUS:   Cisco AVpair       [1]   29  "webvpn:inacl=WEBVPN-usertest"
Jul 31 09:57:30.539: RADIUS:  Class               [25]  25  
Jul 31 09:57:30.539: RADIUS:   43 41 43 53 3A 30 2F 31 36 30 63 35 2F 61 65 36  [CACS:0/160c5/ae6]
Jul 31 09:57:30.539: RADIUS:   66 65 31 34 2F 35 31           [ fe14/51]
Jul 31 09:57:30.539: RADIUS(00000074): Received from id 1645/52
Jul 31 09:57:30.539: AAA/ATTR: invalid attribute prefix: "ACS"
Jul 31 09:57:30.539: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: usertest] [Source: 109.XX.XXX.20] [localport: 443] at 15:57:30 KRZ Thu Jul 31 2014
Jul 31 09:57:30.539: RADIUS/ENCODE(00000074):Orig. component type = SSLVPN
Jul 31 09:57:30.539: RADIUS(00000074): Config NAS IP: 10.10.10.20
Jul 31 09:57:30.539: RADIUS(00000074): Config NAS IPv6: ::
Jul 31 09:57:30.539: RADIUS(00000074): sending
Jul 31 09:57:30.539: RADIUS(00000074): Sending a IPv4 Radius Packet
Jul 31 09:57:30.539: RADIUS(00000074): Send Accounting-Request to 10.230.144.15:1646 id 1646/101,len 137
Jul 31 09:57:30.539: RADIUS:  authenticator 33 53 C6 03 FE 34 74 D3 - 3D 11 65 42 8D 60 A7 7F
Jul 31 09:57:30.539: RADIUS:  Acct-Session-Id     [44]  10  "000006A1"
Jul 31 09:57:30.539: RADIUS:  Nas-Identifier      [32]  16  "WebVPN-clients"
Jul 31 09:57:30.539: RADIUS:  User-Name           [1]   9   "usertest"
Jul 31 09:57:30.539: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
Jul 31 09:57:30.539: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
Jul 31 09:57:30.539: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Jul 31 09:57:30.539: RADIUS:  NAS-Port            [5]   6   51                        
Jul 31 09:57:30.539: RADIUS:  NAS-Port-Id         [87]  15  "109.XX.XXX.20"
Jul 31 09:57:30.539: RADIUS:  Class               [25]  25  
Jul 31 09:57:30.539: RADIUS:   43 41 43 53 3A 30 2F 31 36 30 63 35 2F 61 65 36  [CACS:0/160c5/ae6]
Jul 31 09:57:30.539: RADIUS:   66 65 31 34 2F 35 31           [ fe14/51]
Jul 31 09:57:30.539: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jul 31 09:57:30.539: RADIUS:  NAS-IP-Address      [4]   6   10.10.10.20             
Jul 31 09:57:30.539: RADIUS:  Acct-Delay-Time     [41]  6   0                         
Jul 31 09:57:30.539: RADIUS(00000074): Started 5 sec timeout
Jul 31 09:57:30.543: RADIUS: Received from id 1646/101 10.230.144.15:1646, Accounting-response, len 20
Jul 31 09:57:30.543: RADIUS:  authenticator D8 E9 02 83 AF D1 8A 69 - 20 64 EB B4 5C 5F D6 7E

Here you can see message:

Jul 31 09:57:30.539: AAA/ATTR: invalid attribute prefix: "ACS"

Cisco router could not understand what "ACS" attribute is.

To make everything work - I have to create local ACL on router "WEBVPN-usertest" and set attribute [009\001] cisco-av-pair = webvpn:inacl=WEBVPN-usertest on ACS.

But I can`t understand, what`s wrong with Downloadable ACLs?

How to make Downloadable ACLs work?

Thank you! :)

seanelias · ‎12-27-2017

This is a limitation from cisco ios , but all the asa version support webvpn DACL

we actually requested cisco to include this feature in their next IOS release (ROUTERS)

Thanks