Hi Tyson In the debug that I pasted earlier also contains the Filter-Id (AV 11) which is highlighted in green. The VSA should should be entered as "protocol : attribute sep value", so tried using "ip:Filter-Id=123.in" as it is an IP accesss-list. Is "ip" the correct protocol for the Filter-Id AV? Even I tried using just "Filter-Id=123.in" but didn't also work
In the following link, it is stated that filter-Id can't be used as VSAs. http://www.gossamer-threads.com/lists/cisco/nsp/6857 1d01h: RADIUS: Vendor, Cisco [26] 27 1d01h: RADIUS: Cisco AVpair [1] 21 "ip:Filter-Id=123.in" 1d01h: RADIUS: Filter-Id [11] 8 1d01h: RADIUS: 31 32 33 2E 69 6E [ 123.in] 1d01h: RADIUS: Tunnel-Type [64] 6 01:VLAN [13] 1d01h: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6] 1d01h: RADIUS: Tunnel-Private-Group[81] 4 01:"2" 1d01h: RADIUS: Class [25] 28 1d01h: RADIUS: 43 41 43 53 3A 30 2F 38 61 32 66 64 2F 61 34 64 [CACS:0/8a2fd/ a4d] 1d01h: RADIUS: 61 35 64 33 2F 35 30 31 30 36 [ a5d3/50106] 1d01h: RADIUS: Message-Authenticato[80] 18 1d01h: RADIUS: B3 86 EF C7 56 45 11 20 B5 AC 4E C7 74 0B 4E 2E [ VE NtN.] 1d01h: RADIUS(0000002A): Received from id 1645/88 1d01h: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes 1d01h: RADIUS/DECODE: parse unknown cisco vsa "Filter-Id" - IGNORE With regards Kings On Thu, Jul 7, 2011 at 12:18 AM, Tyson Scott <[email protected]> wrote: > Kingsley,**** > > ** ** > > Can you show the debug output with it working with IETF. That will guide > you towards the format for the Cisco AV-PAIR Configuration.**** > > ** ** > > Regards,**** > > **** > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130**** > > ** ** > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com*** > * > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, July 06, 2011 10:29 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] FIlter-Id as VSA**** > > ** ** > > Hi all > > I am trying to push Filter-Id using VSA but it fails. The same works fine > with IETF attribute 11. Is the protocol "ip", the correct value for > "FIlter-Id"? > > > 1d01h: RADIUS: Vendor, Cisco [26] 27 > 1d01h: RADIUS: Cisco AVpair [1] 21 "ip:Filter-Id=123.in" > 1d01h: RADIUS: Filter-Id [11] 8 > 1d01h: RADIUS: 31 32 33 2E 69 6E [ 123.in] > 1d01h: RADIUS: Tunnel-Type [64] 6 01:VLAN > [13] > 1d01h: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6] > 1d01h: RADIUS: Tunnel-Private-Group[81] 4 01:"2" > 1d01h: RADIUS: Class [25] 28 > 1d01h: RADIUS: 43 41 43 53 3A 30 2F 38 61 32 66 64 2F 61 34 64 > [CACS:0/8a2fd/ > a4d] > 1d01h: RADIUS: 61 35 64 33 2F 35 30 31 30 36 [ a5d3/50106] > 1d01h: RADIUS: Message-Authenticato[80] 18 > 1d01h: RADIUS: B3 86 EF C7 56 45 11 20 B5 AC 4E C7 74 0B 4E 2E > [ VE > NtN.] > 1d01h: RADIUS(0000002A): Received from id 1645/88 > 1d01h: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes > 1d01h: RADIUS/DECODE: parse unknown cisco vsa "Filter-Id" - IGNORE > > > With regards > Kings**** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
