I want to use the Feature "Downloadable IP Acls" on a 3825 VPN-router (IOS 12.4T) in combination with an ACS.
In many documents and discussions I read that it is possible to use dACLs on "Cisco devices running IOS version 12.3(8)T or greater".
The authentication and authorization by the ACS is working and the device gets some parameters by the av-pair-feature.
I tried several things to apply the dACLs like using av-pairs or the ACS-feature "Downloadable IP ACLs", but nothing works.
In the debug log I see that the av-pair is handed to the device, but it is not used.
--> Can you tell me, if it is possible to use dACLs on IOS routers?
--> How does it work? What can I change?
--> Is there a good manual to implement it?
Thanks for your help!
It would help if we know the GOAL of what you're trying to do ...
AFAIR in mode config client does not request ACLs for filtering short of split tunnel ACLs ... and I don't have means to test right now.
If you wish to allow or not certain clients access to certain subnets why not investigate split-tunneling ACLs and vpn-filter in combination with ACS rather then going for dACL.