Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
1
Helpful
1
Replies

Downloadable ACL with AS5350

simonstoll
Level 1
Level 1

‎02-06-2007 04:47 AM

Hi

Anybody knows if Downloadable ACL's with the AS5350 and ACS work? I tried it with ACS 3.3 and IOS 12.3(11)T11, because i red that this feature should be supportet on IOS from 12.3(8)T on. But it doesn't work. When I debug the radius authorization, i get the following error:

Feb 5 12:23:39.994: RADIUS: Cisco AVpair [1] 62 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-RAS_default-45c7006e"

Feb 5 12:23:39.994: AAA/ATTR: unrecognized attribute prefix: "ACS" (WARNING)

Looks like the AS5350 doesn't understand this attribute. Anybody knows anything helpfull?

Best regards

Simon

Labels:
0 Helpful
1 Reply 1

swharvey
Level 3
Level 3

‎02-06-2007 04:07 PM

Hi Simon,

I cannot speak to Downloadable ACL's with the AS5300 product, as I have never done it, however, I have successfully implemented Dynamic inbound acl's on a per user and per group based for dial access with TACACS+ on ACS 3.1 with an AS5300. With this option, you enable "PPP IP" and "Custom attributes" within the TACACS+ Settings section of the group or user, then define the access list you wish to implement. Syntax is important, and below is an example of the format allowing a source subnet to a host for port ssh (Note: this is dynamic acl syntax, not downloadable acl syntax):

inacl#1=permit ip x.x.x.x 0.0.0.255 host y.y.y.y eq 22

In addition, one other pre-requisite with this option is that the ACS local database must be used (you cannot use LDAP or integrate with AD).

Now, if this does not help and you must use Downloadable ACL's, please see the following URLs/PDFs that may be helpful:

http://www.cisco.com/application/pdf/en/us/guest/products/ps6439/c2001/ccmigration_09186a008053d5e4.pdf

Warning on Vulnerability with ACS 3.0-3.3.3:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00805bf1c4.shtml

Hope this helps, if so please rate.

Thanks,

-Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents