Downloadable ACL

serguei.bezverkhi · ‎05-02-2003

Hi,

I have configured a downloadable PIX access-list with ACS 3.1 and PIX 6.3 using Radius attributes. It is working, but it uses ANY as the source for ACL. I would like to have instead of ANY just HOST IP address. Host IP address is allocated it from the pool defined on PIX, so it is not known and I cannot put it in ACL on ACS server manually.

I saw sometime ago that it is possible, but I cannot find now how to configure it.

Appreciate a lot your input. Thanks

gfullage · ‎05-04-2003

The ACL is always entered as "any" in ACS, and that's how it looks when it's downloaded to the PIX. However, this downloadable ACL is applied per user, and each user is mapped to one IP address, so in effect even though teh ACL says "any", it's always only applied to that one IP address where the user authenticated from.

A "sho uauth" command will explain what users/IP address are authorized to do what.

I guess if you knew one user was always going to authenticate from the same internal IP address, you could apply a PIX downloadable ACL with that IP address as the source, but it's really not necessary. Don't think the ACL is applied to the inside interface, it's not, it's applied to that users session and only that users session.

mhoda · ‎05-10-2003

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094ea9.shtml#new_per_user

Please refer to this link to see how to configure it. Thanks,

Mynul