Cisco ACS Documentation claims that Cisco devices running IOS version 12.3(8)T or greater support Downloadable IP ACLs.However is almost impossible to find a documentation regarding this configuration.The only documentation available are those describing DACL to PIX or ASA but there shouldnt be any difference with the DACLs to IOS configuration.Thus, i really wanted to know if there is anyone who actually managed to make this work and if you have any idea what might be the reason mine configuration have failed it would be much appreciated.
IPsec Remote Access Using Preshared Key
Cisco Router: 3640
Cisco IOS:Version 12.3(11)T10
ACS version 4.0 for windows
aaa authentication login userauthen group radius
aaa authorization network groupauthor group radius
aaa accounting update periodic 1
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop broadcast group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius
aaa accounting resource default start-stop group radius
aaa session-id common
crypto isakmp policy 3
no crypto isakmp ccm
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap client accounting list default
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server key xxxxxxxx
radius-server vsa send accounting
radius-server vsa send authentication
Here i just created a Downloadable access list and gave the following rule: "permit icmp any any" and name:"test".
Next i opened a user's setting and checked the box "Assign IP ACL" and chose the name of the DACL i created.
Am i missing something here?
When the ACS is authenticating the user it seems from the "debug radius authentication" that ACS sends the DACL "test" to the router:
Feb 16 22:28:32.402: RADIUS: Cisco AVpair  59 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-test-45d6210d"
However when i enter the command sh access lists i dont see the access list #ASCACL#(btw i havent configured any other acl on the router) and ofcourse the user has unlimited access to the network(it should have only icmp)
Thanks in advance for your time