Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Downloadable Access-list

HI,

I have created a one line downloadble access-list in Cisco ACS to deny a host. deny tcp any host 192.168.115.1 eq 22 and assinged it to a user and group. when I try ssh it should be denied but it works. Thx for the help in advance

4 REPLIES

Re: Downloadable Access-list

Hi,

What platform is requesting the ACL? is the ACL actually downloading? (show access-lists should show an access-list starting with #ACSACL#).

Do you have the keyword "per-user-override" defined on the access-group?

HTH

Andrew.

New Member

Re: Downloadable Access-list

It is windows XP running a ssh client to connect to the Cisco devices. The downloadable access-list is ceated using Cisco ACS server. Thanks for your help

Re: Downloadable Access-list

Hi,

A downloadable acl can only be downloaded to an aaa-client that supports it (i.e. pix/asa/router/etc.) so I was just wondering what aaa-client is configured to request the ACL?

Andrew.

Silver

Re: Downloadable Access-list

There's a few things you can check

1) the device is typed in the network config correctly... must be a device that supports DACLs.

2) If you run csradius -z -p from the command line you should see the access accept include a Cisco VSA that gives the device the name of the DSCL

3) You should then see a further access request from the device to pull down the DACL content.

Darran

631
Views
0
Helpful
4
Replies
CreatePlease to create content