[c-nsp] passing ACL via radius - AAA Unsupported Attr

Per Carlson pelle at hemmop.com
Fri Sep 3 04:36:03 EDT 2010 

Hi.

> I'm looking for a way to pass ACLs via radius.

To begin with, why are you sending the VRF-info 3 times, in two different ways?

> 126083: Sep  2 16:32:10 PDT: RADIUS:  Vendor, Cisco       [26]  55
> 126084: Sep  2 16:32:10 PDT: RADIUS:   Cisco AVpair       [1]   49
> "lcp:interface-config#1=ip vrf forwarding TestCo"

> 126087: Sep  2 16:32:10 PDT: RADIUS:  Vendor, Cisco       [26]  24
> 126088: Sep  2 16:32:10 PDT: RADIUS:   Cisco AVpair       [1]   18
> "ip:vrf-id=TestCo"

> 126089: Sep  2 16:32:10 PDT: RADIUS:  Vendor, Cisco       [26]  24
> 126090: Sep  2 16:32:10 PDT: RADIUS:   Cisco AVpair       [1]   18
> "ip:vrf-id=TestCo"

It will suffice with one of those, and the last one
(ip:vrf-id=<vrfname>) is prefered (as far as I can recall).


> The docs seem to imply that is supported but I cannot
> figure out which permutation of radius attributes to send.

Are you refering to the RADIUS doc
(http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_rad_ov_ietf_attr_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1055985
[0])?

The doc for attribute 11 states: "For Framed service, use %d or %d.out
as interface output access list, and %d.in for input access list. The
numbers are self-encoding to the protocol to which they refer.". I
would *assume* this requires a numbered ACL, not a named one.

If changing to a numbered one doesn't work, you can change from
Filter-ID's to VSAs instead. To send a ACL "in the Cisco way", use
"ip:inacl=n" (or ip:outacl=n) where n is the ACL number, OR
"lcp:interface-config#2=ip access-group <name|number> <in|out>". All
this are to be found in the TACACS+ Config Guide
(http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_tacacs_attr_vp_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1054081
[1]), but it will also work with RADIUS.

[0] http://bit.ly/cyKIsW
[1] http://bit.ly/9FALMO

-- 
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.

More information about the cisco-nsp mailing list