[c-nsp] passing ACL via radius - AAA Unsupported Attr

Chris Hunt dharmaChris at gmail.com
Fri Sep 3 09:12:17 EDT 2010


 On 9/3/2010 1:36 AM, Per Carlson wrote:
> Hi.
>
>> I'm looking for a way to pass ACLs via radius.
> To begin with, why are you sending the VRF-info 3 times, in two different ways?
>
because I've been experimenting and haven't cleaned up yet.  I didn't
think it would be relevant...
>> 126083: Sep  2 16:32:10 PDT: RADIUS:  Vendor, Cisco       [26]  55
>> 126084: Sep  2 16:32:10 PDT: RADIUS:   Cisco AVpair       [1]   49
>> "lcp:interface-config#1=ip vrf forwarding TestCo"
>> 126087: Sep  2 16:32:10 PDT: RADIUS:  Vendor, Cisco       [26]  24
>> 126088: Sep  2 16:32:10 PDT: RADIUS:   Cisco AVpair       [1]   18
>> "ip:vrf-id=TestCo"
>> 126089: Sep  2 16:32:10 PDT: RADIUS:  Vendor, Cisco       [26]  24
>> 126090: Sep  2 16:32:10 PDT: RADIUS:   Cisco AVpair       [1]   18
>> "ip:vrf-id=TestCo"
> It will suffice with one of those, and the last one
> (ip:vrf-id=<vrfname>) is prefered (as far as I can recall).
>
>
I'll check into that, thanks.
>> The docs seem to imply that is supported but I cannot
>> figure out which permutation of radius attributes to send.
> Are you refering to the RADIUS doc
> (http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_rad_ov_ietf_attr_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1055985
> [0])?
>
yes, or
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_rad_ov_ietf_attr.html

> The doc for attribute 11 states: "For Framed service, use %d or %d.out
> as interface output access list, and %d.in for input access list. The
> numbers are self-encoding to the protocol to which they refer.". I
> would *assume* this requires a numbered ACL, not a named one.
I have not tried that and I will.  I was working from the example at
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftacldir.html
.

> If changing to a numbered one doesn't work, you can change from
> Filter-ID's to VSAs instead. To send a ACL "in the Cisco way", use
> "ip:inacl=n" (or ip:outacl=n) where n is the ACL number, 
I'm sorry.  I should have mentioned that I've tried that, but with no
success.
> OR
> "lcp:interface-config#2=ip access-group <name|number> <in|out>". 
I have also tried this method with no success.  This is the method I use
for sending the policy-map, which does work.

> All
> this are to be found in the TACACS+ Config Guide
> (http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_tacacs_attr_vp_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1054081
> [1]), but it will also work with RADIUS.
>
> [0] http://bit.ly/cyKIsW
> [1] http://bit.ly/9FALMO
>



More information about the cisco-nsp mailing list