|
FortiNAC's Local RADIUS service provides the ability to apply DACLs using the Cisco-AVPair RADIUS attribute. DACLs are defined within the Response Values of the attribute. FortiNAC does not limit the number of Response Values or the size of the DACL added.
Since all Cisco-AVPair Response Values are returned in the same RADIUS response, it is possible for the resulting packet to exceed 1518 bytes.
Packet Capture Example:
Vendor-Specific Attribute (26), length: 45, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 37, Value: ip:inacl#27-permit tcp any eq 443 any
Vendor-Specific Attribute (26), length: 45, Value: Vendor: Cisco (9)
Vendor Attribute: 1, Length: 37, Value: ip:inacl#28-permit tcp any any eq 443
Vendor-Specific Attribute (26), length: 31 (bogus, goes past end of packet) <--
When this happens, not all the DACLs are applied to the port.
For more information on configuring RADIUS attributes, see Attribute groups in the Administration Guide.
Workaround: Limit the number and size of DACLs added to the attribute such that the packet does not exceed 1518 bytes.
|
