Thanks. If the Radius returns access-accept and attributes to the firewall? Are these attributes dynamically added to the access acl? How are these attributes return to the firewall specifically? The firewall has two acls. One for controlling authentication and one for controlling access.

Hi,

If you have defined a downloadable ACL on the Radius server then it will be pushed to the firewall and will get added to the "access" acl.

When the uauth expires/gets cleared the dynamic acl entry will be removed.

The attributes are push as AV Pairs the Access-Accept Radius packet.

Downloadable ACLs are not the only attributes you can push. There are many such as timeout etc.

Try debug radius on the firewall to see the AV pairs.

Regards,

Vivek

Hi Vivek,

If I don't define any downloadable ACL on the Radius server, only authentication only attributes, will source ip, destination ip, and traffic types checked against my "access= list 105" acl? Or bypass the "access" acl if I am authenticated and check against the "access" acl if I am not authenticated. Help me clear out this concept.

Thanks.

Some main configuration:

ip auth-proxy name NAME http list 120

interface FastEthernet0/0

ip address x x

ip access-group 105 in

ip auth-proxy NAME

ip http server

ip http authentication aaa

Hi,

After authentication the traffic will be checked against ACL 105. It iwll not bypass it.

Even when you have downloadble ACLs, they get appended to the access acl.

Regards,

Vivek

Thanks.

So it is possible to define a profile in the Radius Server to query LDAP server for authentication only (access-accept with session timeout) and uses "access list 105" to control source ip, dest ip, and traffic type?