ACS 3.2 Restrict access by destination port/IP Address

Unanswered Question
Dec 29th, 2003
User Badges:

Can anyone suggest how I can restrict access using ACS TACACS+ to a destination port or IP Address? I restrict access by group. Each group has specific access to DMZ's on the NDG's that authorize through the ACS. Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

The ACS supports downloadable ACLs via VSA (vender specific attributes).


For example you can configure the PIX firewall for authentication against the ACS, in turn the ACS looks up the users in a database then looks at itself for per users or per group ACLs, then the PIX applies them to the config in a dynamic manner. And once the connection is closed the ACL is removed from the config.


So you could create the standard or extended ACL and add it to the ACS user or group under NARs. But I believe you will need to enable these options "interface configuration\ Advance options\ Users\Group-Lever Network Access Restrictions.


This links is part of the ACS 3.2 user guide.


http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html


I hope this helped.


Curt

Actions

This Discussion