From: Narbik Kocharians (narbikk@gmail.com)
Date: Tue Jan 27 2009 - 04:03:52 ARST
Go Tyson and knock them out
On Mon, Jan 26, 2009 at 6:54 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe>wrote:
> Thanks Tyson and Sadiq,
>
> I find out the problem. As Tyson said :
>
> command : "radius-server vsa send authentication"
>
> Was missing, now it is working:
>
> Rack1SW2#sh ip access-lists
> Extended IP access list FastEthernet0/20#IP0 (per-user)
> 10 permit ip host 10.0.0.100 host 150.1.1.1
> 20 deny ip 10.0.0.0 0.0.0.255 150.1.0.0 0.0.255.255
> 30 permit ip any any
> Rack1SW2#
>
> Thanks a lot,
>
> Regards
>
> ----- Original Message ----- From: "Tyson Scott" <tscott@ipexpert.com>
> To: "'Edouard Zorrilla'" <ezorrilla@tsf.com.pe>; "'Sadiq Yakasai'" <
> sadiqtanko@gmail.com>
> Cc: <security@groupstudy.com>; <ccielab@groupstudy.com>
> Sent: Monday, January 26, 2009 7:36 PM
> Subject: RE: 802.1x with ACL
>
>
>
> Have you included
>> radius-server vsa send authentication
>>
>>
>> Regards,
>>
>> Tyson Scott - CCIE #13513 R&S and Security
>> Technical Instructor - IPexpert, Inc.
>>
>> Telephone: +1.810.326.1444
>> Cell: +1.248.504.7309
>> Fax: +1.810.454.0130
>> Mailto: tscott@ipexpert.com
>>
>>
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Edouard Zorrilla
>> Sent: Monday, January 26, 2009 6:48 PM
>> To: Sadiq Yakasai
>> Cc: security@groupstudy.com; ccielab@groupstudy.com
>> Subject: Re: 802.1x with ACL
>>
>> Sir,
>>
>> I am able to do 802.1x with vlan assignment, but not with ACL assignment.
>> Do
>> you know any link on Cisco web site with an example like that ?
>>
>> Let me change the any inside cisco-av-pair and see what happen.
>>
>> Thanks
>>
>> Regards
>>
>> ----- Original Message -----
>> From: Sadiq Yakasai
>> To: Edouard Zorrilla
>> Cc: security@groupstudy.com ; ccielab@groupstudy.com
>> Sent: Monday, January 26, 2009 12:07 PM
>> Subject: Re: 802.1x with ACL
>>
>>
>> Hi there,
>>
>> Per-user ACLs work when the ACL is configured with the source as "any" on
>> ACS. The switch will replace this with the IP address of the devices that
>> authenticates on the port. When you do a debug or show on the port, Ibet
>> you
>> would see authorization failure and not authentication failure.
>>
>>
>> <show dot1x authe f0/20 detail> should give us a very good view of whats
>> happening here.
>>
>> [009\001] cisco-av-pair {check}
>> ip:inacl#1=deny ip any 150.1.0.0 0.0.255.255
>> ip:inacl#2=permit ip any any.
>>
>> Let us know how you get on please.
>>
>> HTH,
>> Sadiq
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Narbik Kocharians CCSI#30832, CCIE# 12410 (R&S, SP, Security) www.MicronicsTraining.com www.Net-Workbooks.com Sr. Technical InstructorBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST