Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 2.6 downloadable PIX ACL's tacacs+ and radius interaction

We have ACS v2.6 running and controlling our remote dial-in, routers and switches access. We are now looking to add support for an internal PIX firewall and would like to use downloadable ACL's from ACS to the PIX. (to control outbound traffic through the PIX for authenticated users)

We achieved this using Cisco IOS/PIX RADIUS Attributes

[009\001] cisco-av-pair on ACS. (and ACL imposed access restrictions on users access)

However the problem we noticed is that any valid user in our CiscoSecure database or SecureID database can authenticate and be allowed access out through the firewall even though they are not authorized for this (and as is default on PIX from inside to outside are allowed full unrestricted access).

We then imposed Network access restrictions on CiscoSecure ACS for our PIX - to allow only the relevant user groups access to it, but this didn't work with RADIUS only TACACS+ (I assume this is because RADIUS does not support authorization).

We have it working with TACACS+ and the ACS passes down the ACL number/ID to the PIX for the authorized users.

Question: As we wish to use downloadable ACL’s from ACS to the PIX (for central support reasons) is this possible using TACACS+ and if so how would we configure CiscoSecure ACS to accommodate this for the example ACL below;

access-list pix_int permit tcp any host 10.x.x.x eq 1022

access-list pix_int permit tcp any host 10.x.x.x eq 1023

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS 2.6 downloadable PIX ACL's tacacs+ and radius interactio

Downloadable ACL's only work with Radius, as described here:

http://www.cisco.com/warp/public/110/atp52.html#new_per_user

You can continue to define the ACL on the PIX itself and just pass the ACL number down via TACACS (as shown here: http://www.cisco.com/warp/public/110/atp52.html#access_list), but you can't actually pass the entire ACL down via TACACS, sorry.

2 REPLIES
Cisco Employee

Re: ACS 2.6 downloadable PIX ACL's tacacs+ and radius interactio

Downloadable ACL's only work with Radius, as described here:

http://www.cisco.com/warp/public/110/atp52.html#new_per_user

You can continue to define the ACL on the PIX itself and just pass the ACL number down via TACACS (as shown here: http://www.cisco.com/warp/public/110/atp52.html#access_list), but you can't actually pass the entire ACL down via TACACS, sorry.

New Member

Re: ACS 2.6 downloadable PIX ACL's tacacs+ and radius interactio

Thanks for the reply Glenn,

Confirms what we were thinking.

399
Views
0
Helpful
2
Replies
CreatePlease to create content