cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3399
Views
0
Helpful
0
Replies
Martin Kyrc
Participant

RADIUS downloadable ACL and AV pair

Hello,

in cisco doc (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration85/guide/access_aaa.html#wp1053730) is written:

Merges a downloadable ACL with the ACL received in the Cisco AV pair from a RADIUS packet. The default setting is

no merge dacl,  which specifies that downloadable ACLs will not be merged with Cisco AV  pair ACLs. If both an AV pair and a downloadable ACL are received, the  AV pair has priority and is used.

If both, downloadable ACL (DACL=dacl-ext-user-inside) and predefined ACL using Filter-ID (SACL=vpn-acl-general-inside) is configured in my environment, only DACL is applied (oposite to cisco doc). When I remove DACL from RADIUS configuration, only SACL is applied (that's correct). Here is part of RADIUS log:

Authentication Result

User-Name=external

Filter-ID=vpn-acl-general-inside     <<<< SACL

Class=CACS:ACS-horol/126102282/51

cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-dacl-ext-user-inside-4fb4b7ee  <<<<< DACL

CVPN3000/ASA/PIX7.x-IPSec-Banner1=Profile2: External user from inside

CVPN3000/ASA/PIX7.x-IPSec-Split-Tunnel-List=vpn-split-ext-user-inside

CVPN3000/ASA/PIX7.x-IPSec-Split-Tunneling-Policy=Split tunneling

CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools=vpn-pool-ext-user

(^^ the same I can see in debug radius, or debug ipsec on asa).

It's a bug or 'feature'?

SW versions in my lab: ASA 8.4(3), ACS 5.3 (trial version)

--

martin

0 REPLIES 0
Content for Community-Ad