Solved: ASA 5520 & ACS Ver. 3.1

smartin · ‎03-15-2006

Having some problems with group policies & within the ASA system. Able to connect via ASA VPN using ACS 3.1 but how do I apply ACLS for different groups.

I cannot find any information regarding the ASA & RADIUS.

vkapoor5 · ‎03-21-2006

I am not sure of ASA, but PIX 6.3 supports downloadable ACLs from a RADIUS server. TACACS+ not supported. Here is the document that shows how to configure this feature in 6.3.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#wp1030990

View solution in original post

vkapoor5 · ‎03-21-2006

I am not sure of ASA, but PIX 6.3 supports downloadable ACLs from a RADIUS server. TACACS+ not supported. Here is the document that shows how to configure this feature in 6.3.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/mngacl.htm#wp1030990

smartin · ‎03-22-2006

Downloadable ACLs from the RADIUS server worked ! One question, I noticed that when a user VPN's in they receive their own ACL. Is that the norm ?

If 50 users connect I would then see 50 acls.

Thanks

ariera · ‎07-19-2006

Stephen,

I'm currently having the same problem you originally had where downloadable ACLs dont seem to work for our VPN users connecting to the ASA. Could you share what you had to do to get this tor work.

Thanks!

Al

smartin · ‎07-20-2006

Ckeck out the doc

ariera · ‎07-20-2006

Stephen,

Thanks for the info. This is pretty much the same we have configured. I our case we are running ACS 3.3 so there is no PIX Downloadable ACL option under shared component, is now IP Downloadable ACL.

Anything especial on the ASA or just simple RADIUS authentication for your Tunnel-Group?

Thanks again,

Al

smartin · ‎07-20-2006

When I created a "tunnel Group" on the ASA under the "General" tab I point the "Authentication Server Group" to the RADIUS Server