[c-nsp] ACS 5.x and ASA - Webtype ACL
Antonio Soares
amsoares at netcabo.pt
Wed Jan 16 06:43:00 EST 2013
Guys,
I was trying to send an large Webtype ACL from ASA5.3 to ASA8.4. To do that, I use the Cisco AV Pairs. This is configured under Policy Elements->Authorization and Permissions->Network Access->Authorization Profiles. Each Cisco AV Pair sent has the format “webvpn:inacl#nnn=permit xxxx”.
Now my problem: the amount of ACL entries is so large that it goes beyond the maximum packet size for Radius (RFC2865) which is 4096 bytes. Cisco says that ACS5.x doesn’t support the fragmentation of these radius packets. It seems it supports the fragmentation of the Radius packets used to send the IP ACLs (Policy Elements->Authorization and Permissions->Named Permission Objects->Downloadable ACLs).
Has anyone run into the same problem ? The only workaround I see is via the configuration of the Webtype ACL on the ASA but I want to avoid it.
Thanks.
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net <http://www.ccie18473.net/>
More information about the cisco-nsp
mailing list