Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

TACACS+ defined ACL's versus NAS defined ACL's

We are preparing to implement per-user access-lists using Cisco Secure NT

v2.4 and our PIX.. As I understand it we can either define an acces list on the PIX and assign it to a user during authentication/authorization or we can

define the ACL on the ACS server using the inacl#= and outacl#= statements.

We are only looking at a handful of different lists for different groups of


I was wondering if anyone had any information regarding pros/cons of doing

it each way especially as regards resource usage and speed.

As an added complication the same ACS server handles AAA

for our dialin 3620 and the same users could connect via either the PIX using

the VPN or via the 3620. We already have some static ACL's on the 3620 -

would we have to include everything they are doing in any ACL that we

assign/create from the ACS server?

Cisco Employee

Re: TACACS+ defined ACL's versus NAS defined ACL's

Since you have AAA server..its a best way to manage everything..So i would go for "access-list from aaa"..Also it gives you total control of management and the best is you can have user specific access-list as well..Thx..Tejal