05-02-2003 05:31 PM - edited 02-20-2020 09:21 PM
Hi,
I have configured a downloadable PIX access-list with ACS 3.1 and PIX 6.3 using Radius attributes. It is working, but it uses ANY as the source for ACL. I would like to have instead of ANY just HOST IP address. Host IP address is allocated it from the pool defined on PIX, so it is not known and I cannot put it in ACL on ACS server manually.
I saw sometime ago that it is possible, but I cannot find now how to configure it.
Appreciate a lot your input. Thanks
05-04-2003 09:38 PM
The ACL is always entered as "any" in ACS, and that's how it looks when it's downloaded to the PIX. However, this downloadable ACL is applied per user, and each user is mapped to one IP address, so in effect even though teh ACL says "any", it's always only applied to that one IP address where the user authenticated from.
A "sho uauth" command will explain what users/IP address are authorized to do what.
I guess if you knew one user was always going to authenticate from the same internal IP address, you could apply a PIX downloadable ACL with that IP address as the source, but it's really not necessary. Don't think the ACL is applied to the inside interface, it's not, it's applied to that users session and only that users session.
05-10-2003 09:51 AM
Please refer to this link to see how to configure it. Thanks,
Mynul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide