Replacing Cisco ACS with Free RADIUS
Bjørn Mork
bjorn at mork.no
Wed Sep 14 14:02:43 CEST 2011
"Sallee, Stephen (Jake)" <Jake.Sallee at umhb.edu> writes:
> So! I am trying to replicate the Downloadable IP ACL function that we
> love so much in ACS, into Free RADIUS. It seems that this is done
> through the Cisco AV Pair radius attribute. If anyone has experience
> in this please drop me a line using my included contact info, if we
> move into production with it I will post back to the list for
> posterity what we did to get it to work.
I have absolutely no idea what Cisco ACS is doing, but this is how you
normally send an IP ACL from FreeRADIUS to an IOS device:
Cisco-AVPair += "ip:inacl#1=permit tcp any any eq 80",
Cisco-AVPair += "ip:inacl#2=deny ip any any"
It's a bit strange since they wrap tacacs+ attributes inside one RADIUS
VSA (Cisco-AVPair), but once you get that then it makes sort of sense..
Bjørn
More information about the Freeradius-Users
mailing list