Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Downloadable ACL on Cisco IOS router (from ACS) ?


(I am a bit new to some of the IOS Security features)

Is it possible to "download" and ACL from TACACS+ (ACS 5.1) OR RADIUS AV Pairs ?

       I know that the lists can be configured on ACS, but how are they applied on a IOS router ?

I have read about "lock and key ACL" , but the examples I have seen only use ACS to authenticate.

Also, if the lists can be downloaded, WHERE can they be applied ? Would it be limited to vty ?

         What I ultimately want, is to have an ACL applied per user, when VPN users login to the crypto map / Tunnel interface.


Cisco Employee

Re: Downloadable ACL on Cisco IOS router (from ACS) ?

Yes, this is possible.

Creating, Duplicating, and Editing Downloadable ACLs

For radius you may use the Cisco A/V pair, the format of ACL should be,


"ip:inacl#1=permit tcp any any"



Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Downloadable ACL on Cisco IOS router (from ACS) ?

Thanks, but I already know that it IS possible in ACS.

My question is how do I *USE* this on an IOS router like a 2811. (As opposed to a PIX/ASA)

i.e What IOS commands do I enter, and where can I enter them, to make use of such ACLs.

I cant seem to find any docs on this, and the only "lock and key" dACL example, does not show how to download the ACL

from ACS.

At this point, I am not sure if this feature is even supported on IOS routers, or if its only for PIX/ASA


CreatePlease to create content