Catalyst 3750 , ACS and Downloadable IP ACL

Unanswered Question
Jul 7th, 2008


We installed a ACS v4.1 , we were trying to limit the access to authenticated users by using Downloadable IP ACL in a Catalyst 3750 with IOS version ipbasek9-mz.122-25.SEE4. The authentication part works fine with a external database (Wins AD) , but we want to limit the access to the network of some groups.

This can be done using Downloadable IP ACL ?

Thanks for any help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Mon, 07/07/2008 - 09:42

Yes, DACL's can be user here. To use a downloadable IP ACL on a particular AAA client, the AAA client must:

.Use RADIUS for authentication.

.Support downloadable IP ACLs.

Examples of Cisco devices that support downloadable IP ACLs are:

.PIX Firewalls

.VPN 3000-series concentrators, ASA and PIX devices

.Cisco devices running IOS version 12.3(8)T or greater


Please note that downloadable ACLs are not supported on cat based switches.

If downloadable ACL's through shared profile doesn't work, define a cisco av-pair to create the downloadable acls.

Give this a try and see if it works. The format for the av-pair ACL is:


ip:inacl#1=permit ip



Do rate helpful posts.

jalmanza_82 Mon, 07/07/2008 - 10:05

JG, I did the shared profile configuration, but I didnt do nothing in the Catalyst 3750 just these commands:

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa accounting system default start-stop group radius


aaa session-id common

dot1x system-auth-control



interface fas1/0/7

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

dot1x timeout reauth-period 60

dot1x reauthentication.

radius-server host auth-port 1645 acct-port 1646 key cisco

radius-server source-ports 1645-1646


Do I need to configure something else in the switch ?

Thanks for any help

jafrazie Mon, 07/07/2008 - 10:12

This "Downloadable IP ACL" does NOT work on a 3750 on ports enabled for 802.1X. For 802.1X, you have 2 choices:

1) Use the Filter-ID attribute from RADIUS, and download the name/number of an ACL that's already configured on the switch.

2) Configure the [026\009\001] directly with the needed ACL.

This will help:


This Discussion