ACS Express 5.0 questions: downloadable ACL, RADIUS as an external database

pvladimirov · ‎01-19-2009

Hi,

Could please someone answer two questions regarding ACS Express 5.0:

- does it support downloadable ACLs (for IOS auth proxy / ASA AAA Network Access)? As I can see from the documentation, at least not in the form ACS supports it, but can it be configured using AV pairs on per-user basis?

- can it use another RADIUS as external authentication database? Essentially what I need is to authenticate the user using "parent" ACS, but apply restrictions configured in local ACS Express.

Thank you!

jhillend · ‎02-03-2009

To your first question: No.

To your second question: Yes, use the "One-Time-Password Server" external database option. This is really nothing more than a RADIUS request from ACS.

pvladimirov · ‎02-03-2009

Thank you for the reply.

Could you please explain, why it is impossibble to use AV pairs on ACS Express to configure downloadable access lists. I found the following link explaining how to use AV pairs for it:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html#wp391111

It is using regular ACS as an example, however it looks like ACS Express allows to configure AV pairs as well:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/user/guide/policy.html#wp1043805

The only drawback I can see in using AV pairs instead of full Downloadable ACL support provided by ACS via Shared Objects, is that the access-list can be assigned on per-user basis, but only once, so it will be always same access-list for all clients.

Thank you!