Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4038
Views
0
Helpful
0
Replies

RADIUS downloadable ACL and AV pair

Martin Kyrc
Level 3
Level 3

‎05-17-2012 06:03 AM - edited ‎03-10-2019 07:05 PM

Hello,

in cisco doc (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration85/guide/access_aaa.html#wp1053730) is written:

Merges a downloadable ACL with the ACL received in the Cisco AV pair from a RADIUS packet. The default setting is

no merge dacl,  which specifies that downloadable ACLs will not be merged with Cisco AV  pair ACLs. If both an AV pair and a downloadable ACL are received, the  AV pair has priority and is used.

If both, downloadable ACL (DACL=dacl-ext-user-inside) and predefined ACL using Filter-ID (SACL=vpn-acl-general-inside) is configured in my environment, only DACL is applied (oposite to cisco doc). When I remove DACL from RADIUS configuration, only SACL is applied (that's correct). Here is part of RADIUS log:

Authentication Result

User-Name=external

Filter-ID=vpn-acl-general-inside     <<<< SACL

Class=CACS:ACS-horol/126102282/51

cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-dacl-ext-user-inside-4fb4b7ee  <<<<< DACL

CVPN3000/ASA/PIX7.x-IPSec-Banner1=Profile2: External user from inside

CVPN3000/ASA/PIX7.x-IPSec-Split-Tunnel-List=vpn-split-ext-user-inside

CVPN3000/ASA/PIX7.x-IPSec-Split-Tunneling-Policy=Split tunneling

CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools=vpn-pool-ext-user

(^^ the same I can see in debug radius, or debug ipsec on asa).

It's a bug or 'feature'?

SW versions in my lab: ASA 8.4(3), ACS 5.3 (trial version)

--

martin

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents