Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

ACS Server 6.0

Hi,

I just read that downloadble ACL's do not work for VPN users and that it only helps in passthrough authentication. The workaround solution was to define the ACL on the pix and send down the ACL number on the ACS server. I have been lookking through the various options and could not locate the option for assigning the ACL number . All I see is an option to assign downloadble ACLS.

I would appreciate it if you gys could help me out.

Thanks

Karthik Krishnamurthy

2 REPLIES
New Member

Re: ACS Server 6.0

Hi KK,

Here's how you do it:

Beginning with PIX software release 5.2, we can define access lists on the PIX, then apply them on a per-user basis based in the user profile on the server. TACACS+ requires authentication and authorization. RADIUS requires authentication only. In our example, we changed outbound authentication and authorization to TACACS+ and set up an access list on the PIX.

Note: Starting in PIX Version 6.0.1, if using RADIUS, the access-lists can also be implemented by entering the list in standard IETF RADIUS attribute 11 (Filter-Id) [CSCdt50422]. In this example, attribute 11 could be set to 115 in lieu of doing the vendor-specific "acl=115" verbiage.

PIX Configuration

access-list 115 permit tcp any host 99.99.99.2 eq telnet

access-list 115 permit tcp any host 99.99.99.2 eq www

access-list 115 permit tcp any host 99.99.99.2 eq ftp

access-list 115 deny tcp any host 99.99.99.3 eq www

access-list 115 deny tcp any host 99.99.99.3 eq ftp

access-list 115 deny tcp any host 99.99.99.3 eq telnet

CiscoSecure NT TACACS+

To add authorization to the PIX to control where the user can go with access lists, check shell/exec, check the Access control list box, and fill in the number (matches the access list number on the PIX).

CiscoSecure NT RADIUS

Radius/Cisco is the device-type. Our "pixa" user needs a username, a password, and a check and "acl=115" in the Cisco/Radius rectangular box where it says 009\001 AV-Pair (vendor-specific).

For more info, see:

Performing Authentication, Authorization, and Accounting of Users Through PIX Versions 5.2 and Later

http://www.cisco.com/warp/public/110/atp52.html#pix-config

HTH

Jeff

Re: ACS Server 6.0

Thanks . I will definately try that today and will let you know if it worked.

Karthik.

150
Views
0
Helpful
2
Replies
CreatePlease to create content