[cisco-nas] Cisco per-user ACL mapping back to Virtual User that initiated them
Doug McIntyre
merlyn at geeks.org
Fri Apr 15 11:52:46 EDT 2016
We've been doing per-user ACL from RADIUS for some time.
In the old days on 12.x code, when we went looking for them on the
BRAS router, we could find something like
# show ip access-list
Extended IP access list Virtual-Access143#358961
10 permit tcp any any established (1323860 matches)
20 deny udp any any eq 1900 (100 matches)
30 deny udp any any eq tftp (32 matches)
30 deny udp any any eq 5353 (800 matches)
...
But now on 15.2S code when we go looking they look more like..
Extended IP access list subscriber_feature#132540008856 (per-user)
10 permit tcp any any established (1323860 matches)
20 deny udp any any eq 1900 (100 matches)
30 deny udp any any eq tftp (32 matches)
30 deny udp any any eq 5353 (800 matches)
...
The first one lists the Virtual-Access interface the subscriber
that triggered it has, and we can go look to find that Virtual-Access user.
But the 2nd one has a much more random looking number, that I don't
know how to translate back to which user triggered it.
Doing a
show running-config interface Virtual-Access 143
doesn't list any ACL's, even though I know that currently logged in
user has a per-user ACL that was triggered on login.
Is there a way to configure the BRAS so that the old way of listing
ACL's can still be done? Or, is there some magic on the BRAS that can
map the string subscriber_feature#132540008856 back to which user triggered
this per-user ACL to be generated?
More information about the cisco-nas
mailing list