Using ACS for ACL

mission2k · ‎04-29-2008

We have a Cisco Windows ACS server that we currently use for many purposes. One of those is that we add the mac addresses of everyone authorized to be on the wireless network and then we have our Cisco WLC use it for authentication.

My question is, isnt it also possible to use the ACS when building an ACL on our router? I would like to build some ACL's on the router that basically do a lookup on the ACS to see if your traffic is authorized to pass.

Thanks.

Jagdeep Gambhir · ‎04-29-2008

Hi,

To use a downloadable IP ACL on a particular AAA client, the following requirements must be met:

*The AAA client must use RADIUS for authentication.

*The AAA client must support downloadable IP ACLs.

Examples of Cisco devices that support downloadable IP ACLs are:

*PIX Firewalls

*VPN 3000-series concentrators

*Cisco devices running IOS version 12.3(8)T or greater

I'm listing an example of how can GROUP1 be restricted from accessing a server/internet using Downloadble ACLs.

Follow these steps for configuration on the ACS.

Creating the Downloadable ACL Set

1. Click Interface Configuration and then click Advanced Options .

2. Check Group-Level Downloadable ACLs . (We are concerned about Group-Level ACLs in this case).

3. Click Submit .

Where applicable, the CiscoSecure ACS HTML interface displays features related to downloadable IP ACLs.

4. Click Shared Profile Components click Downloadable IP ACLs , and then

click Add .

The page for adding a downloadable ACL set appears .

5. In the Name box, type Deny file web (could be anything you want).

6. In the Description box, type Denies access to file servers and internet (could be anything you want).

7. In the ACL Definitions box, type the following (for instance):

deny tcp 10.1.1.0 0.0.0.255 172.20.0.0 0.0.255.255 eq ftp

deny tcp 10.1.1.0 0.0.0.255 any eq http permit ip any any

8. Click Submit .

CiscoSecure ACS saves the downloadable ACL set. You can apply it by name to group or user profiles Applying the Downloadable ACL Set to a Group.

After you have created the downloadable ACL set, you must associate it with the group that contains the members of the VPN group.

1. Click Group Setup

2. From the Group list, select the group that you want to assign restricted members to.

Select Rename Group , change the group name to

res_access , and click Submit

3. Select Edit Settings .. The Group Settings page for the group selected appears.

4. From the Jump To list, select Downloadable ACLs . The browser scrolls to the Downloadable ACLs table on the Group Settings page

5. In the Downloadable ACLs table, select the Assign IP ACL check box.

6. From the Assign IP ACL list, select Deny file web CiscoSecure ACS will use the downloadable ACL set named "Deny file web" to send ACLs to the AS when members of the res_access group authenticate.

7. Select Submit + Restart . CiscoSecure ACS saves the group settings, restarts services, and begins enforcing thegroup settings. This will get the desired filtering in place.

Regards,

~JG

Do rate helpful posts

mission2k · ‎04-29-2008

Thanks JG. That is exactly what I am looking for.

One more question. What I need is probably out of the ordinary so I dont know that its possible.

I just set this downloadable acl up and configured our asa to use it. It works just fine. However, what I really need it to do is to deny access out the asa to anyone listed in the acs server, but permit access to anyone not listed.

I know that sounds crazy. Any chance that is possible. Maybe using some sort of wildcards or anything like that.

Jagdeep Gambhir · ‎04-29-2008

Not sure If I understand it..pls correct me if I'm wrong.

You want only some users should be able to login to ASA.

If that is the case then you can use feature called NAR's network access restriction.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Regards,

~JG

mission2k · ‎04-29-2008

I told you it was weird.

Here is what we want to do.

We have two WLANs setup at work. A private, secure WLAN for our employees to use and a Public Guest Wireless network that only can access the Internet.

Our private WLAN uses MAC address authentication but anyone can use the Public Wireless.

We want to prevent our employees from being able to connect to the Public Wireless WLAN.

The reason is that we have various internet access restrictions and such on the secure WLAN but the Public Wireless is fairly open. We are afraid our employees will figure this out and just connect to it to bypass the restrictions.

I know we could use Group Policy and other tools to stop them from being able to edit their wireless settings but I was looking for a more fail safe method.

Our internal users are all given 10.X.X.X addresses and our public wireless is given 172.16.X.X addresses.

We have this solution working now using a MAC filter on our internet filtering appliance but it requires that we enter every MAC address twice and that is something we want to get away from.

Thanks.

ariantow123 · ‎01-29-2009

Hi JG,

I'm currently test DACL.

Same steps with your guide.

But it doesn't work for me.

My current devices : C2691(c2691-advsecurityk9-mz.124-9.T5), ACS 4.2, and VPN client 4.6

Need your help

thanks,

*aw