Downloadabel IP ACL with ACS and 3560 ?

s.berthier · ‎02-12-2008

Hi

I try to implement "Downloadable IP ACL" between 3560 (IOS 12.2(35)SE1) and An ACS Appliance 4.1.3.12 using Radius authentication of a user that want to connect on the switch.

The authentication works fine and I can log to the switch without problem

On ACS log and if you do a debug redius on the switch, you see that the functionality "Downloadable Ip ACL" is correctly use but nothing happen on the switch

If you try to show the access list apply you see nothing

I just want to know if it's possible to do that and if you have solution to implement this ?

Thanks for your help

ebreniz · ‎02-18-2008

From what I see at

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/admon/dynfilt.htm#2006410,

the 3000 can deal with what ACS sends if it's in the format on the IOS/PIX Radius attributes screen or the PIX ACLs screen, not

the "Downloadable IP ACLs" screen.

jafrazie · ‎02-18-2008

That's correct. This will be added onto in an upcoming release so that you can do it either way.

s.berthier · ‎02-18-2008

Thanks for your help, I will try again to implement the solution with [009\001] cisco-av-pair.

But I have try to do this the last time and it seems that don't work fine. but I will test another time.

thanks

s.berthier · ‎02-20-2008

Hi

I have try to implement the solution with cisco-av-pair but its don't work when i connect to the switch with a username create on the ACS.

If you know if there is differents parameters to change ? on the ACS ? or on the Switch ?

I have try to implement such think like

-- aaa authorization configuration

-- settings on ACS like Service Type,...

but nothing work fine

If you have any other idea ?

Thanks

jafrazie · ‎02-20-2008

How is the user connecting to the switch? With 802.1X?