locked
Radius paket overflow because of too many ACL entries RRS feed

  • Question

  • Hi,

    We are using NAP 802.1x with ACLs to restrict noncompliant computers on our network.

    The ACL is configured on the NPS server using the "Cisco-AV-Pair" attribute and the following syntax:

    ip:inacl#100=permit ip any xxx.xxx.xxx.xxx 255.255.255.0
    ip:inacl#110=permit ip any xxx.xxx.xxx.xxx 255.255.255.0
    ip:inacl#120=permit ip any xxx.xxx.xxx.xxx 255.255.255.0
    ip:inacl#130=permit ip any xxx.xxx.xxx.xxx 255.255.255.0
    ip:inacl#140=permit ip any xxx.xxx.xxx.xxx 255.255.255.0
    .
    .
    .
    .


    Everything worked fine in our small integration environment. The problem we have now in the production environment is that the acl has too many entries and exeeds the radius paket size limit of 4096 bytes.

    Is there a way to use a different syntax to bypass the paket limit? I read that Cisco ACS is not affected by this limitation.

    Cisco ACS: Unlimited ACL size —Downloadable ACLs are sent using as many RADIUS packets as required to transport the full ACL set from CiscoSecure ACS

    How do they do that? Is NPS able to do something similar?

    Please do not ask if it is possible to add less hosts to the acl. We need this high numbers of entries.

    Thanks a lot and regards
    mat

     

    Monday, February 6, 2012 12:02 PM

Answers

  • Hi,

    Thanks for posting here.

    I’ve also searched around but found nothing either and afraid NPS can only recognize RADIUS message that length between 20 and 4,096 bytes :

    “The Length field is two octets long and indicates the entire length of the RADIUS message, including the Code, Identifier, Length, and Authenticator fields, and the RADIUS attributes. The Length field can vary from 20 to 4,096 bytes.”

    RADIUS Protocol
    http://technet.microsoft.com/en-us/library/dd197481(WS.10).aspx

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Tuesday, February 7, 2012 3:30 AM
  • Hello,

    Thanks for the Info. I think Microsoft should work on this problem to allow ACLs with more entries on their NPS Servers because setting an ACL is more comfortable than switch the client to a different VLAN.

    In the meantime I tried to set the ACL with less specific entries on port level.

    The main problem is to ban the access to file server resources without blocking sysvol and other needed shares.

    Here is our ACL as an example.

    ip:inacl#1=permit ip any host "TCP/IP of CRL publishing point"
    ip:inacl#10=deny tcp any any eq 20
    ip:inacl#11=deny tcp any any eq 21
    ip:inacl#12=deny tcp any any eq 23
    ip:inacl#13=deny tcp any any eq 25
    ip:inacl#14=deny tcp any any eq 69
    ip:inacl#16=deny tcp any any eq 80
    ip:inacl#17=deny tcp any any eq 8080
    ip:inacl#18=deny tcp any any eq 110
    ip:inacl#19=deny tcp any any eq 143
    ip:inacl#20=deny tcp any any eq 443
    ip:inacl#21=deny tcp any any eq 993
    ip:inacl#22=deny tcp any any eq 995
    ip:inacl#23=deny tcp any any eq 1433
    ip:inacl#40=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#41=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#42=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#43=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#44=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#45=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#46=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#47=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#48=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#60=permit tcp any any
    ip:inacl#61=permit udp any any
    ip:inacl#62=permit ip any any

    Regards

    mat

    Thursday, February 9, 2012 12:39 PM

All replies

  • Hi,

    Thanks for posting here.

    I’ve also searched around but found nothing either and afraid NPS can only recognize RADIUS message that length between 20 and 4,096 bytes :

    “The Length field is two octets long and indicates the entire length of the RADIUS message, including the Code, Identifier, Length, and Authenticator fields, and the RADIUS attributes. The Length field can vary from 20 to 4,096 bytes.”

    RADIUS Protocol
    http://technet.microsoft.com/en-us/library/dd197481(WS.10).aspx

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Tuesday, February 7, 2012 3:30 AM
  • Hi,

    Please feel free to let us know if the information was helpful to you.

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Wednesday, February 8, 2012 10:11 AM
  • Hello,

    Thanks for the Info. I think Microsoft should work on this problem to allow ACLs with more entries on their NPS Servers because setting an ACL is more comfortable than switch the client to a different VLAN.

    In the meantime I tried to set the ACL with less specific entries on port level.

    The main problem is to ban the access to file server resources without blocking sysvol and other needed shares.

    Here is our ACL as an example.

    ip:inacl#1=permit ip any host "TCP/IP of CRL publishing point"
    ip:inacl#10=deny tcp any any eq 20
    ip:inacl#11=deny tcp any any eq 21
    ip:inacl#12=deny tcp any any eq 23
    ip:inacl#13=deny tcp any any eq 25
    ip:inacl#14=deny tcp any any eq 69
    ip:inacl#16=deny tcp any any eq 80
    ip:inacl#17=deny tcp any any eq 8080
    ip:inacl#18=deny tcp any any eq 110
    ip:inacl#19=deny tcp any any eq 143
    ip:inacl#20=deny tcp any any eq 443
    ip:inacl#21=deny tcp any any eq 993
    ip:inacl#22=deny tcp any any eq 995
    ip:inacl#23=deny tcp any any eq 1433
    ip:inacl#40=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#41=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#42=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#43=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#44=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#45=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#46=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#47=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#48=deny ip any host "TCP/IP of Fileserver"
    ip:inacl#60=permit tcp any any
    ip:inacl#61=permit udp any any
    ip:inacl#62=permit ip any any

    Regards

    mat

    Thursday, February 9, 2012 12:39 PM