Имеется сетка, к ней извне подключаются при помощи CISCO VPN Client, маршрутизатор cisco 2821. Настроил аутентификацию VPN пользователей на радиусе, все работает. Теперь пытаюсь прикрутить к пользователям скачиваемые ACL. На радиусе в политике доступа прописываю cisco-av-pair к примеру ip:inacl#1=permit tcp any any eq telnet. Но ничего не работает. В чем может быть причина? вот дебаг
cis2821#show debug
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
Radius protocol debugging is on
Radius packet protocol debugging is on
*Jul 9 10:29:02.231: AAA/BIND(0000000B): Bind i/f
*Jul 9 10:29:02.287: AAA/AUTHOR (0xB): Pick method list 'VPNcli'
*Jul 9 10:29:02.287: RADIUS/ENCODE(0000000B):Orig. component type = VPN_IPSEC
*Jul 9 10:29:02.287: RADIUS(0000000B): Config NAS IP: 0.0.0.0
*Jul 9 10:29:02.287: RADIUS/ENCODE(0000000B): acct_session_id: 8
*Jul 9 10:29:02.287: RADIUS(0000000B): sending
*Jul 9 10:29:02.287: RADIUS/ENCODE: Best Local IP-Address 192.168.20.35 for Radius-Server 192.168.20.4
*Jul 9 10:29:02.287: RADIUS(0000000B): Send Access-Request to 192.168.20.4:1645 id 1645/8, len 86
*Jul 9 10:29:02.287: RADIUS: authenticator 42 78 22 F7 B5 E7 43 E1 - C9 35 68 16 50 12 93 B5
*Jul 9 10:29:02.287: RADIUS: User-Name [1] 7 "cisIT"
*Jul 9 10:29:02.287: RADIUS: User-Password [2] 18 *
*Jul 9 10:29:02.287: RADIUS: Calling-Station-Id [31] 17 "192.168.110.112"
*Jul 9 10:29:02.287: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jul 9 10:29:02.287: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jul 9 10:29:02.287: RADIUS: Service-Type [6] 6 Outbound [5]
*Jul 9 10:29:02.287: RADIUS: NAS-IP-Address [4] 6 192.168.20.35
*Jul 9 10:29:02.291: RADIUS: Received from id 1645/8 192.168.20.4:1645, Access-Accept, len 109
*Jul 9 10:29:02.291: RADIUS: authenticator 06 A8 BD 75 35 42 45 87 - C8 57 6E 87 1A 21 C5 D2
*Jul 9 10:29:02.291: RADIUS: Service-Type [6] 6 Outbound [5]
*Jul 9 10:29:02.291: RADIUS: Tunnel-Type [64] 6 00:ESP [9]
*Jul 9 10:29:02.291: RADIUS: Class [25] 32
*Jul 9 10:29:02.291: RADIUS: 5E E0 07 22 00 00 01 37 00 01 C0 A8 14 04 01 C7 [^??"???7????????]
*Jul 9 10:29:02.291: RADIUS: BF A6 BB 90 97 F7 00 00 00 00 00 00 00 62 [?????????????b]
*Jul 9 10:29:02.291: RADIUS: Vendor, Microsoft [26] 12
*Jul 9 10:29:02.291: RADIUS: MS-MPPE-Enc-Policy [7] 6
*Jul 9 10:29:02.291: RADIUS: 00 00 00 01 [????]
*Jul 9 10:29:02.291: RADIUS: Vendor, Microsoft [26] 12
*Jul 9 10:29:02.291: RADIUS: MS-MPPE-Enc-Type [8] 6
*Jul 9 10:29:02.291: RADIUS: 00 00 00 00 [????]
*Jul 9 10:29:02.291: RADIUS: Tunnel-Password [69] 21 00:*
*Jul 9 10:29:02.295: RADIUS(0000000B): Received from id 1645/8
*Jul 9 10:29:02.303: AAA/BIND(0000000C): Bind i/f
*Jul 9 10:29:05.467: AAA/AUTHEN/LOGIN (0000000C): Pick method list 'VPNcli'
*Jul 9 10:29:05.471: RADIUS/ENCODE(0000000C):Orig. component type = VPN_IPSEC
*Jul 9 10:29:05.471: RADIUS/ENCODE(0000000C): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jul 9 10:29:05.471: RADIUS(0000000C): Config NAS IP: 0.0.0.0
*Jul 9 10:29:05.471: RADIUS/ENCODE(0000000C): acct_session_id: 9
*Jul 9 10:29:05.471: RADIUS(0000000C): sending
*Jul 9 10:29:05.471: RADIUS/ENCODE: Best Local IP-Address 192.168.20.35 for Radius-Server 192.168.20.4
*Jul 9 10:29:05.471: RADIUS(0000000C): Send Access-Request to 192.168.20.4:1645 id 1645/9, len 66
*Jul 9 10:29:05.471: RADIUS: authenticator E0 58 27 67 94 DD E7 C8 - D8 7B 41 2A 47 B4 AE 85
*Jul 9 10:29:05.471: RADIUS: User-Name [1] 5 "isa"
*Jul 9 10:29:05.471: RADIUS: User-Password [2] 18 *
*Jul 9 10:29:05.471: RADIUS: Calling-Station-Id [31] 17 "192.168.110.112"
*Jul 9 10:29:05.471: RADIUS: NAS-IP-Address [4] 6 192.168.20.35
*Jul 9 10:29:05.475: RADIUS: Received from id 1645/9 192.168.20.4:1645, Access-Accept, len 303
*Jul 9 10:29:05.475: RADIUS: authenticator CD A7 97 FC 56 4E 29 8A - 33 A6 E1 99 3F CA E9 5E
*Jul 9 10:29:05.475: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Jul 9 10:29:05.475: RADIUS: Service-Type [6] 6 Framed [2]
*Jul 9 10:29:05.475: RADIUS: Class [25] 32
*Jul 9 10:29:05.475: RADIUS: 5E E1 07 23 00 00 01 37 00 01 C0 A8 14 04 01 C7 [^??#???7????????]
*Jul 9 10:29:05.475: RADIUS: BF A6 BB 90 97 F7 00 00 00 00 00 00 00 63 [?????????????c]
*Jul 9 10:29:05.475: RADIUS: Vendor, Cisco [26] 30
*Jul 9 10:29:05.475: RADIUS: Cisco AVpair [1] 24 "ipsec:key-exchange=ike"
*Jul 9 10:29:05.475: RADIUS: Vendor, Cisco [26] 40
*Jul 9 10:29:05.475: RADIUS: Cisco AVpair [1] 34 "ipsec:key-exchange=preshared-key"
*Jul 9 10:29:05.475: RADIUS: Vendor, Cisco [26] 31
*Jul 9 10:29:05.475: RADIUS: Cisco AVpair [1] 25 "ipsec:addr-pool=KHEpool"
*Jul 9 10:29:05.479: RADIUS: Vendor, Cisco [26] 29
*Jul 9 10:29:05.479: RADIUS: Cisco AVpair [1] 23 "ipsec:inacl=AllintNet"
*Jul 9 10:29:05.479: RADIUS: Vendor, Cisco [26] 38
*Jul 9 10:29:05.479: RADIUS: Cisco AVpair [1] 32 "ipsec:dns-servers=192.168.20.4"
*Jul 9 10:29:05.479: RADIUS: Vendor, Cisco [26] 47
*Jul 9 10:29:05.479: RADIUS: Cisco AVpair [1] 41 "ip:inacl#1=permit tcp any any eq telnet"
*Jul 9 10:29:05.479: RADIUS: Vendor, Microsoft [26] 12
*Jul 9 10:29:05.479: RADIUS: MS-MPPE-Enc-Policy [7] 6
*Jul 9 10:29:05.479: RADIUS: 00 00 00 01 [????]
*Jul 9 10:29:05.479: RADIUS: Vendor, Microsoft [26] 12
*Jul 9 10:29:05.479: RADIUS: MS-MPPE-Enc-Type [8] 6
*Jul 9 10:29:05.479: RADIUS: 00 00 00 00 [????]
*Jul 9 10:29:05.479: RADIUS(0000000C): Rec