06-16-2010 06:59 AM - edited 03-10-2019 05:11 PM
Hi,
(I am a bit new to some of the IOS Security features)
Is it possible to "download" and ACL from TACACS+ (ACS 5.1) OR RADIUS AV Pairs ?
I know that the lists can be configured on ACS, but how are they applied on a IOS router ?
I have read about "lock and key ACL" , but the examples I have seen only use ACS to authenticate.
Also, if the lists can be downloaded, WHERE can they be applied ? Would it be limited to vty ?
What I ultimately want, is to have an ACL applied per user, when VPN users login to the crypto map / Tunnel interface.
Thanks
06-16-2010 07:38 PM
Yes, this is possible.
Creating, Duplicating, and Editing Downloadable ACLs
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/pol_elem.html#wp1053438
For radius you may use the Cisco A/V pair, the format of ACL should be,
ip:inacl#
"ip:inacl#1=permit tcp any any"
HTH
JK
Do rate helpful posts-
06-17-2010 02:12 AM
Thanks, but I already know that it IS possible in ACS.
My question is how do I *USE* this on an IOS router like a 2811. (As opposed to a PIX/ASA)
i.e What IOS commands do I enter, and where can I enter them, to make use of such ACLs.
I cant seem to find any docs on this, and the only "lock and key" dACL example, does not show how to download the ACL
from ACS.
At this point, I am not sure if this feature is even supported on IOS routers, or if its only for PIX/ASA
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: