[c-nsp] ACS 5.x and ASA - Webtype ACL

Andre Christian andre.christian at o3bnetworks.com
Wed Jan 16 07:55:54 EST 2013


Unfortunately I have another call.

Sent from my iPad

On Jan 16, 2013, at 6:46 AM, "Antonio Soares" <amsoares at netcabo.pt> wrote:

> Guys,
> 
> 
> 
> I was trying to send an large Webtype ACL from ASA5.3 to ASA8.4. To do that, I use the Cisco AV Pairs. This is configured under Policy Elements->Authorization and Permissions->Network Access->Authorization Profiles. Each Cisco AV Pair sent has the format “webvpn:inacl#nnn=permit xxxx”.
> 
> 
> 
> Now my problem: the amount of ACL entries is so large that it goes beyond the maximum packet size for Radius (RFC2865) which is 4096 bytes. Cisco says that ACS5.x doesn’t support the fragmentation of these radius packets. It seems it supports the fragmentation of the Radius packets used to send the IP ACLs (Policy Elements->Authorization and Permissions->Named Permission Objects->Downloadable ACLs).
> 
> 
> 
> Has anyone run into the same problem ? The only workaround I see is via the configuration of the Webtype ACL on the ASA but I want to avoid it.
> 
> 
> 
> 
> 
> Thanks.
> 
> 
> 
> Regards,
> 
> 
> 
> Antonio Soares, CCIE #18473 (R&S/SP)
> amsoares at netcabo.pt
> 
> http://www.ccie18473.net <http://www.ccie18473.net/> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list