Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 3.2 Restrict access by destination port/IP Address

Can anyone suggest how I can restrict access using ACS TACACS+ to a destination port or IP Address? I restrict access by group. Each group has specific access to DMZ's on the NDG's that authorize through the ACS. Any ideas?

New Member

Re: ACS 3.2 Restrict access by destination port/IP Address

The ACS supports downloadable ACLs via VSA (vender specific attributes).

For example you can configure the PIX firewall for authentication against the ACS, in turn the ACS looks up the users in a database then looks at itself for per users or per group ACLs, then the PIX applies them to the config in a dynamic manner. And once the connection is closed the ACL is removed from the config.

So you could create the standard or extended ACL and add it to the ACS user or group under NARs. But I believe you will need to enable these options "interface configuration\ Advance options\ Users\Group-Lever Network Access Restrictions.

This links is part of the ACS 3.2 user guide.

I hope this helped.


CreatePlease to create content