I need to know if there is a possibility to download ACL to the DACL-enabled device that is not a part of the RADIUS conversation? In other words I have one user that needs an access to some resources and is attempting to log to the network through PIX1. I need to authenicate him through ACS and to download ACL to PIX1 and (attention) PIX2 too (some up-stream firewall). Is there any way to do it?
I don't think you can do this. As you have mentioned that the other PIX does not have Radius configuration. And you can only push DACL from Radius server on the PIX that is requesting it, not to any other PIX.
And I am not aware of any mechanism or feature, that can transfer the downloaded ACLs, from one PIX to another.