Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

network authorization to ppp dialup client using tacacs+ ACS

I'm using ACS 3.0 with a 3640 NAS with analog modems and channelized serial interface. I'm configuring authorization to ppp dialup users to specify which resources they can see and which others they cannot see.

Is it possible to perform this kind of authorization, not only specifying the access-list which has to be applied when a user logs (this way is not so much scalable) but also specifying the allowed or denied resources on the ACS server, like one can do with the pix firewall?

Thank you.

3 REPLIES
New Member

Re: network authorization to ppp dialup client using tacacs+ ACS

If I understand you correctly, you want to deny access to ports on the NAS for specific users. Then use the port filertering option. You can permit or deny access through authorization on a per port basis with port filtering. For example, the AAA profile would look like this: service=ppp { allow "" "^tty1[5-9]$" "" refuse "" "^tty1[0-4]$" "" protocol=ip { set addr-pool=default } Where 10.0.0.1 is the NAS. This allows access to tty ports 15-19 and denies access to ports 10-14. Never did this in CSNT if you are using it, but you should be able to apply this attribute as an advanced TACACS+ AVP or there should be another option to deny the ports. Hope this helps.

New Member

Re: network authorization to ppp dialup client using tacacs+ ACS

Left the NAS out sorry: service=ppp { allow "10.1.1.1" "^tty1[5-9]$" "" refuse "10.1.1.1" "^tty1[0-4]$" "" protocol=ip { set addr-pool=default }

New Member

Re: network authorization to ppp dialup client using tacacs+ ACS

unfortunately no.

I would like to filter the ip or tcp traffic, like access-lists do, not using the access lists, but specifying the allowed or denied sites on the cisco ACS. I know this can be done with the PIX firewall, and I don't know why a similar authorization cannot be done with IOS access-servers. Or, if it's possible, I haven't found the way.

Thank you

128
Views
0
Helpful
3
Replies