First off, yes the ASA supports some attributes other than VPN3000/ASA/Pix7.x.
ACS sends ip:inacl=xxxx to the ASA as part of the Downloadable ACLs feature and you can see that with a debug radius all. ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log However there are other things that you can do with cisco-av-pair and an ASA. for example you can use it for webvpn acls using the following syntax: webvpn:inacl#1=permit url http://www.website.com webvpn:inacl#2=deny smtp any host 10.1.3.5 webvpn:inacl#3=permit url cifs://mar_server/peopleshare1 Also, I did find a document that made the statement: Downloadable IP ACLs are an alternative to the configuration of ACLs in the RADIUS Cisco cisco-av-pair attribute [26/9/1] of each user or user group. You can create a downloadable IP ACL once, give it a name, and then assign the downloadable IP ACL to each applicable user or user group if you reference its name. This method is more efficient than if you configure the RADIUS Cisco cisco-av-pair attribute for each user or user group. So, yes cisco-av-pair attribute [26/9/1] is valid but maybe not for what you are trying to accomplish. Take a look at the following post in the Cisco Support forums and I think the second section will provide an alternative. https://supportforums.cisco.com/docs/DOC-2947;jsessionid=58F92B59A622DF8B7519B2AFFE9E5CD4.node0 To my knowledge there is no "on-stop-shop" with all the supported attributes for ASA (not at the moment anyhow). I hope this helps. Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Mar 30, 2010, at 9:08 PM, Dnyaneshwar Gore wrote: > Hi, > > Does ASA with 8.0 OS support radius attributes other than VPN3000/ASA/Pix7.x > VSA? I tried to configure cisco AV pair (attribute 26 - cisco id 9 - type -1) > for privilege level but ASA does not accept that. > > From where I can get supported radius attribute list? > > Regards, > DMG > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
