Can I Specify an Existing ACL using a Radius AV Pair?

Question

I am able to specify access-lists for VPN users on my IAS radius server using avpairs like:

Cisco-AVpair = "ip:outacl[#number]={standard-access-control-list | 
extended-access-control-list}"

So for example:

ip:inacl#101=deny tcp 192.168.1.0 0.0.0.255 any eq 21

Instead of specifying each line of the ACL, is there a directive that will let me specify that it should use an extended access list that exists in the IOS config?

score 3 · Accepted Answer · answered Nov 25 '09 at 12:58

3

The syntax is:

ip:inacl=<aclnumber>

So for example:

ip:inacl=101

From what I can tell, extended ACLs work, but named ACLs do not work.

answered Nov 25 '09 at 12:58

Kyle Brandt

83,619
74
305
448

score 1 · Answer 2 · answered Jan 11 '10 at 23:57

1

I believe you want the filter-id attribute. See http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#new for details.

answered Jan 11 '10 at 23:57

I've found that I can either use filter-id or cisco AV pairs, but not both. At least on the ASA series. Don't know about switches. – Brain2000 Mar 31 '21 at 18:19

Can I Specify an Existing ACL using a Radius AV Pair?

2 Answers2