12-21-2021 01:50 PM
Hi,
We have ASA5520
Cisco Adaptive Security Appliance Software Version 9.1(7)29
Device Manager Version 7.6(1)
And we use RADUIS server for AAA.
When user connecting to ASA using Anyconnect, ASA receive from RADIUS server filter-id for user:
Radius: Type = 11 (0x0B) Filter-Id Radius: Length = 15 (0x0F) Radius: Value (String) = 12 34 56 78 90 12 34 56 78 90 | acl-ACL
But ASA did not apply it for user with this message:
%ASA-4-113034: Group <GROUP_POLICY_NAME> User <USER> IP <IP> User ACL <acl-ACL> from AAA ignored, AV-PAIR ACL used instead.
On ASA we have ACL with exact that name - acl-ACL, but ASA ignored it.
On other ASA with same config and same RADIUS server it works fine.
Can someone help to tshoot this?
Solved! Go to Solution.
12-22-2021 04:58 AM
I found the answer,
One of the DAP does not consist any attribute, like username = "name", so ASA use this DAP for every user.
Case closed, thx.
12-21-2021 02:50 PM
adius-server attribute 11 direction default
check the direction of ACL and also add .out or .in if need in radius server.
12-22-2021 04:26 AM
Hi, Thx for answer!
From RADIUS we recieve acl name(type 11) without .in or .out prefix, just acl-ACL in value field.
On ASA we have acl for example:
access-list acl-ACL extended permit ip any any
As i understand without this field in RADIUS message ASA use default acl that configured in group-policy.
But in my case ASA ignore ACL from RADIUS and default ACL and create DAP for user. I dont undestand what information ASA use to create this DAP.
What debug command i can use except debug radius?
12-22-2021 04:58 AM
I found the answer,
One of the DAP does not consist any attribute, like username = "name", so ASA use this DAP for every user.
Case closed, thx.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide