Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
0
Helpful
2
Replies

ACS Express 5.0 questions: downloadable ACL, RADIUS as an external database

pvladimirov
Level 1
Level 1

‎01-19-2009 02:54 PM - edited ‎03-10-2019 04:17 PM

Hi,

Could please someone answer two questions regarding ACS Express 5.0:

- does it support downloadable ACLs (for IOS auth proxy / ASA AAA Network Access)? As I can see from the documentation, at least not in the form ACS supports it, but can it be configured using AV pairs on per-user basis?

- can it use another RADIUS as external authentication database? Essentially what I need is to authenticate the user using "parent" ACS, but apply restrictions configured in local ACS Express.

Thank you!

Labels:
0 Helpful
2 Replies 2

jhillend
Level 1
Level 1

‎02-03-2009 11:52 AM

To your first question: No.

To your second question: Yes, use the "One-Time-Password Server" external database option. This is really nothing more than a RADIUS request from ACS.

0 Helpful

pvladimirov
Level 1
Level 1
In response to jhillend

‎02-03-2009 12:31 PM

Thank you for the reply.

Could you please explain, why it is impossibble to use AV pairs on ACS Express to configure downloadable access lists. I found the following link explaining how to use AV pairs for it:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html#wp391111

It is using regular ACS as an example, however it looks like ACS Express allows to configure AV pairs as well:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_express/5.0/user/guide/policy.html#wp1043805

The only drawback I can see in using AV pairs instead of full Downloadable ACL support provided by ACS via Shared Objects, is that the access-list can be assigned on per-user basis, but only once, so it will be always same access-list for all clients.

Thank you!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents