tac_plus‐ng: RADIUS Downloadable ACLs for Cisco Devices

Downloadable RADIUS ACLs are now supported, as a fresh-and-not-so-well-tested feature.

Downloadable ACL sample definition:

    dacl demoacl {
        # prefix = "ip:inacl" # This is the default.
        # version = 12345678  # This is explained somewhere below.  
        data = "
            deny ip host 10.0.0.0 any
            permit ip any any
        "
    }

In user profile context, you can then

    set radius[Cisco:Cisco-AVPair] = "ACS:CiscoSecure-Defined-ACL=${dacl:demoacl}"

which will instruct the device to query for that ACL via RADIUS.

The device will see the demoacl portion as something like #ACSACL#demoacl-12345678, with 12345678 being the manually set version number (version = 12345678) or the first 4 bytes of the ACL MD5 checksum in hex.

MAVIS support is there, too. One of the demo scripts (mavis_tacplus-ng-demo-database.pl) shows how to handle that.

Tested with Cisco ASA, seemed to meet expectations.

No syntax checking is done for the data argument. If you mess up on that then the device will likely reject the connection.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

tac_plus‐ng: RADIUS Downloadable ACLs for Cisco Devices

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally