09-27-2006 07:37 PM - edited 03-10-2019 02:46 PM
Hi All,
We have a NAS (AS5350) to provide dialup service for branch offices. Cisco ACS 4.0 (Radius) is used as the AAA sever. We would like to apply acl to the dialup client to control the access by using filter-id attribute. The acl can be applied and it works fine in outbound but it has problem when applying to the inbound using acl#.in. From the debug ip icmp of the NAS, the message "ICMP: dst (10.3.54.2) administratively prohibited unreachable sent to 10.3.54.50" is displayed and the dialup client is not able to reach the NAS and the network behind. "Destination is unreachalbe" is return when trying to ping the NAS server from the dialup client.
For your information, below is the sample output of "sh ip int"
Async1/04 is up, line protocol is up
Interface is unnumbered. Using address of Loopback0 (10.3.54.2)
Broadcast address is 255.255.255.255
Peer address is 10.3.54.50
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 110, default is not set
Proxy ARP is enabled
....
The IOS version of AS5350 is 12.4(5b). Any idea? Thanks in advance.
Anthony
09-29-2006 05:55 AM
Hi Anthony,
If I understand correctly you want to assign ACL to user's dialing in to AS5350 using the filter-id attribute.
Note there are a few ways for ACS to handle ACLs.
1. RADIUS attr 11, filter-id. In this case the ACL(s) are defined on
the client(s) already; all ACS does is specify which one to use for a
given user by handing down attr 11.
2. cisco av-pair. The ACL is configured on ACS via the RADIUS cisco av-pair attribute [26/9/1], per user or group. Again, these are sent via the RADIUS Access-Reply.
3. Downloadable ACLs. Again the ACLs are configured on ACS, per user or group.
So in your case is the ACL defined on the NAS, what value have you specified in the Filter-id attribute.
Can you send me the following debug output
debug aaa authen
debug aaa authorization
debug radius
term mon
I hope this helps.
Thanks
Gagan
09-29-2006 09:13 AM
Hi Gagan,
Exactly, we choose the 1st method in order to be compatible with old configuration. The access-lists are defined in the NAS and the attribute filter-id is passed to it when dialup client is successfully connected.
I only have previous output of "debug radius" for your reference now and will send other debug information for you later. See if you could figure out the problem from the attached log.
Appreciate very much for your help
With Best Regards,
Anthony
09-29-2006 11:51 AM
Hi Anthony,
Not much can be learned from the debugs as per them the attribute is sent to the NAS in the access-accept packet.
Can you send me the running configuration of the AS together with the ACL name which you are trying to push from ACS.
Also are you configuring the Cisco av-pair attribute.
Thanks
Gagan
09-29-2006 10:20 PM
10-02-2006 06:01 AM
Hi Anthony,
The radius configuration looks perfect and even we have the list defined on the NAS , can you enter the following command in the configuration.
aaa authorization exec default group radius local.
and can also refer to the following url for ACL application.
http://www.cisco.com/warp/public/480/radius_ACL1.html#server_cfg
Please do send me the following debug output
debug aaa authen
debug aaa authorization
debug radius
debug ppp negotiation
term mon
Thanks
Gagan
10-05-2006 04:25 AM
Hi Gagan,
I was able to test the configuration today and captured the output for your reference.
The following command "aaa authorization exec default group radius local" was added before capturing the output.
It seemed that if the acl is applied in inbound, all traffic are blocked and icmp message was given. So, I guessed there is some security setting to avoid acl to be applied to inbound of the async interface. But can't find any document mention about this.
Anyway, thanks for your help!
Anthony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide