Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Per user VPN envryption domain with TACACS - Possible?


I have very fluid environment where consultants need to VPN is to specific IP of the network for a few days. Doing this with static configuration means, maintaining 70+ client profiles with different ACLs associated to each profile.

Is there any way to store per user ACL in the TACACS and push that out to the ASA upon extended authentication?



Hall of Fame Super Blue

Re: Per user VPN envryption domain with TACACS - Possible?

Hi Sam

Do you have a Cisco Secure ACS server in your environment. If so yes, you can use downloadable ACL's on the ACS server and you can tie these ACL's to individual users or groups of users.

Let me know if you have an ACS and what version and i'll hunt out the relevant docs. I've also got this setup in our lab at work so i can send you a config example when i'm back in next week.



New Member

Re: Per user VPN envryption domain with TACACS - Possible?

Hi Jon,

Yes. I do have ACS server 4.0 version purchased which I already use for the VPN client authentication piece. I am just trying to figure out the authorization piece with downloadable ACLs.

If you have config examples, I would really appreciate it. I am not in rush so whenever time permits, please post or email to



ovt Bronze

Re: Per user VPN envryption domain with TACACS - Possible?

Yes, this should be possible. I used it on VPN3k + RADIUS. On ACS try "Shared Profile Components". Write an ACL like "permit ip ". Apply this Component to the user or user's group.

This mechanism is non-standard. The standard one is cisco av-pair ip:inacl#1=, but the ACL should be created on the tunnel-endpoint device int this case.

For successful authorization other VPN3k attributes are needed. See VPN3k docs on CCO for details. ASA attrs are the same (I believe).


Hall of Fame Super Blue

Re: Per user VPN envryption domain with TACACS - Possible?

Hi Sam

Okay, if you have authentication for users working on your ASA already then the only change you need to do on the ASA is if you have an access-list applied on the outside interface you need to apply it as such

access-group acl_outside in interface outside per-user-override.

The per-user-override is very important. What this does is add the per user downloadable acl to the existing access-list applied to the outside interface of your ASA. If you didn't have it then even if the ASA downloads a per user acl from the ACS server it would not work unless you are already permitting that users traffic on your outside access-list, but then that kind of defeats the purpose :)

On your ACS server

Shared Profile Components ->

Downloadable IP ACL's

Add in your per user acl's ( note that you can use per-group acl's if you want to apply the same acl to multiple users ).

example of acl would be

permit tcp any host eq 23

permit tcp any host eq www

deny ip any any

Make sure you click on submit in both windows ( you'll see what i mean ).

Then under

User Setup ->

Edit the user details ->

Scroll down to Downloadable ACLs box, select the correct acl from the drop down box and check the box.

Save it all and that should be it.

Let me know how you get on.


CreatePlease to create content