Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
929
Views
0
Helpful
3
Replies

Catalyst 3750 , ACS and Downloadable IP ACL

jalmanza_82
Level 1
Level 1

‎07-07-2008 06:05 AM - edited ‎03-10-2019 03:57 PM

Hi,

We installed a ACS v4.1 , we were trying to limit the access to authenticated users by using Downloadable IP ACL in a Catalyst 3750 with IOS version ipbasek9-mz.122-25.SEE4. The authentication part works fine with a external database (Wins AD) , but we want to limit the access to the network of some groups.

This can be done using Downloadable IP ACL ?

Thanks for any help

Labels:
0 Helpful
3 Replies 3

Jagdeep Gambhir
Level 10
Level 10

‎07-07-2008 09:42 AM

Yes, DACL's can be user here. To use a downloadable IP ACL on a particular AAA client, the AAA client must:

.Use RADIUS for authentication.

.Support downloadable IP ACLs.

Examples of Cisco devices that support downloadable IP ACLs are:

.PIX Firewalls

.VPN 3000-series concentrators, ASA and PIX devices

.Cisco devices running IOS version 12.3(8)T or greater

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs

40/user/c.htm#wp696809

Please note that downloadable ACLs are not supported on cat based switches.

If downloadable ACL's through shared profile doesn't work, define a cisco av-pair to create the downloadable acls.

Give this a try and see if it works. The format for the av-pair ACL is:

ex

ip:inacl#1=permit ip 1.1.1.0 0.0.0.255 9.9.9.0 0.0.0.255

Regards,

~JG

Do rate helpful posts.

0 Helpful

jalmanza_82
Level 1
Level 1
In response to Jagdeep Gambhir

‎07-07-2008 10:05 AM

JG, I did the shared profile configuration, but I didnt do nothing in the Catalyst 3750 just these commands:

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa accounting system default start-stop group radius

!

aaa session-id common

dot1x system-auth-control

.

.

interface fas1/0/7

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

dot1x timeout reauth-period 60

dot1x reauthentication.

radius-server host 10.1.0.19 auth-port 1645 acct-port 1646 key cisco

radius-server source-ports 1645-1646

!

Do I need to configure something else in the switch ?

Thanks for any help

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to jalmanza_82

‎07-07-2008 10:12 AM

This "Downloadable IP ACL" does NOT work on a 3750 on ports enabled for 802.1X. For 802.1X, you have 2 choices:

1) Use the Filter-ID attribute from RADIUS, and download the name/number of an ACL that's already configured on the switch.

2) Configure the [026\009\001] directly with the needed ACL.

This will help:

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750/software/release/12.2_25_sea/configuration/guide/sw8021x.html#wp1065459

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents