Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 3.3, downloadable ACLs

I am trying to configure downloadable ACLs for the users and groups that will be accessing our network via RA VPN on an ASA5510.

Currently everything is working with the exception of the downloadable ACL component restricting the traffic.

THe RA config has been in place for a while using Cisco client through the ASA.

I have the ACL configured per the syntax shown, and the ACL is applied to a test user, but I can still get to everything beyond what the ACL is restricting

The tunnel groups are configured to use TACACS and not RADIUS for authentication.

I read that one of the requirements was that the authentication had to be RADIUS to use the downloadable ACL with the ACS.

Would it be easier to restrict the groups directly in the ASA appliance in the RA tunnel config?

4 REPLIES
Gold

Re: ACS 3.3, downloadable ACLs

yes, you need to use Radius.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml

in your case, you can either switch to radius or use the vpn-filter feature on the ASA - whichever one is best suited to your environment.

New Member

Re: ACS 3.3, downloadable ACLs

Thanks for the reply,

Is there any benefit to using TACACS over RADIUS?

Also, is there any way to log the RA VPN connections with the ASA?

Like accounting for example?

I would like to be able to look at the time and duration of a RA VPN tunnel via a log file.

We are doing Accounting and Administration of our network devices.

We had 3005 VPN Concentrators and you could paruse log files that showed connection times and the duration of the connection.

It seems you can only see the successful log in via TACACS for the RA VPN users.

New Member

Re: ACS 3.3, downloadable ACLs

Thanks for the reply,

Is there any benefit to using TACACS over RADIUS?

Also, is there any way to log the RA VPN connections with the ASA?

Like accounting for example?

I would like to be able to look at the time and duration of a RA VPN tunnel via a log file.

We are doing Accounting and Administration of our network devices.

We had 3005 VPN Concentrators and you could paruse log files that showed connection times and the duration of the connection.

It seems you can only see the successful log in via TACACS for the RA VPN users.

Gold

Re: ACS 3.3, downloadable ACLs

here are the asa/pix syslog ID's of relevant start/stop messages for remote ipsec vpn sessions.

713120

713050

113019

i'm not sure off hand what kind of accounting can be done through typical AAA.

205
Views
10
Helpful
4
Replies