Hi Kings,
As per my understanding, Tacacs separates Authentication from Authorization
while Radius combines them together in ne process or phase and that's why you
are getting this error.
What you need to do is:
- configure a downloadable access list
- assign that downloadable access-list to a user
- type the following command
access-group outin in interface Outside per-user-override
The per-user-override
keyword allows dynamic access lists that are downloaded for user
authorization to override the access list assigned to the interface.
so these command will be enough
aaa authentication match mine inside mine
no aaa authorization match mine inside mine
HTH
Regards,
Mohammed Gazzaz
Date: Thu, 8 Oct 2009 18:57:48 +0530
From: [email protected]
To: [email protected]
Subject: [OSL | CCIE_Security] Cut-through proxy doesn't support radius
authorization for downloadable ACLs
Hi all
I am trying to configure Radius downloadable ACLs with cut-through proxy. The
ASA is not allowing me to associate the Radius AAA group to the authorization
method list.
primary(config)# aaa authorization match mine inside mine
Authorization is not supported in RADIUS
primary(config)# aaa authorization include any inside 0 0 0 0 mine
Warning: The keyword 'any' will be converted to 'tcp/0' in config.
Authorization is not supported in RADIUS
But, I tried a workaround where first I configured the AAA group with TACACS
and then associated the group to the method list. After that I converted the
TACACS group to radius and then I was able to
download the ACLs from ACS?
With regards
Kings
_________________________________________________________________
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
