Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

downloadable ACL

Hi guys,

I'm configuring a ACS 4.0 server and a PIX with IOS 6.3 to authenticate

the users and not their IP address.I have configured ACS and PIX to

authenticate the users from Microsoft Active Directory and everything

seem work very well.

Now i wanna put some ACL.

I have configured the downloadable ACL on the ACS and i have enable

users and groups to use them. But when on the pix i write show

access-list i can not see the ACL that i expect there. Then i have

check the reports in ACS and see that the user is authenticated and the

ACL is assigned but in failed attemps i read "DACL request from device

is not acceptable".

My questions are :

Do I need put something else on the pix for accept ACLs?

The normal ACL are enable for interface "access-group in in interface

inside", with Donwloaddable ACl where do i put the interface fr

enabling them?

Can someone give me some exemple about these my questions, please?

Thanks a lot for yours answers.

2 REPLIES
New Member

Re: downloadable ACL

You might have to configure additional parameters. This URL will be useful.

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddcb.html

New Member

Re: downloadable ACL

This maybe of some interest to you.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddaf8ce/2#selected_message

Make sure you have a permit statement to the virtual address and failing that place a packet sniffer on the AAA server. The transaction from the PIX should only be a single Radius accept packet at a time if the PIX is sending out duplicate access-request packets with the same packet ID the ACS server will reject the request and produce the message you are seeing.

Hope this helps

206
Views
0
Helpful
2
Replies
CreatePlease login to create content