ACS 2.6 downloadable PIX ACL's tacacs+ and radius interaction
We have ACS v2.6 running and controlling our remote dial-in, routers and switches access. We are now looking to add support for an internal PIX firewall and would like to use downloadable ACL's from ACS to the PIX. (to control outbound traffic through the PIX for authenticated users)
We achieved this using Cisco IOS/PIX RADIUS Attributes
[009\001] cisco-av-pair on ACS. (and ACL imposed access restrictions on users access)
However the problem we noticed is that any valid user in our CiscoSecure database or SecureID database can authenticate and be allowed access out through the firewall even though they are not authorized for this (and as is default on PIX from inside to outside are allowed full unrestricted access).
We then imposed Network access restrictions on CiscoSecure ACS for our PIX - to allow only the relevant user groups access to it, but this didn't work with RADIUS only TACACS+ (I assume this is because RADIUS does not support authorization).
We have it working with TACACS+ and the ACS passes down the ACL number/ID to the PIX for the authorized users.
Question: As we wish to use downloadable ACLs from ACS to the PIX (for central support reasons) is this possible using TACACS+ and if so how would we configure CiscoSecure ACS to accommodate this for the example ACL below;
access-list pix_int permit tcp any host 10.x.x.x eq 1022
access-list pix_int permit tcp any host 10.x.x.x eq 1023
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :