Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dynamic ACLs on PIX for VPN clients

Has anybody implemented the following solution?

- PIX 6.2 or 6.3

- CS ACS 3.x

- VPN Clients 3.x or 4.x

VPN clients are authenticated using radius when establishing the VPN session to the PIX. I want a predefined ACL to be dynamically assigned to the PIX by the ACS for that VPN session.

The CCO documentation on dynamic ACLs refers to authentication via a HTTP front-end. I want to avoid this as the VPN users are already authenticated during the set-up of the VPN session.

Any help or advice is much appreciated.

Regards,

Daithi

1 REPLY
Cisco Employee

Re: Dynamic ACLs on PIX for VPN clients

You can do this on ACs either using a Radius AV pair or the Downloadable ACL section. The following link describes each of these in detail:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/config/radacl.htm

The setup on the PIX is just using Radius for XAuth, and when the PIX receives the ACL from ACS it will apply it to that user. PIX config is as shown here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

127
Views
0
Helpful
1
Replies
CreatePlease login to create content