topic Downloadable ACL on Cisco IOS router (from ACS) ? in Network Access Control

Downloadable ACL on Cisco IOS router (from ACS) ?

shahedvoicerite — Mon, 11 Mar 2019 00:11:36 GMT

Hi,

(I am a bit new to some of the IOS Security features)

Is it possible to "download" and ACL from TACACS+ (ACS 5.1) OR RADIUS AV Pairs ?

I know that the lists can be configured on ACS, but how are they applied on a IOS router ?

I have read about "lock and key ACL" , but the examples I have seen only use ACS to authenticate.

Also, if the lists can be downloaded, WHERE can they be applied ? Would it be limited to vty ?

What I ultimately want, is to have an ACL applied per user, when VPN users login to the crypto map / Tunnel interface.

Thanks

Jatin Katyal — Thu, 17 Jun 2010 02:38:26 GMT

Yes, this is possible.

For radius you may use the Cisco A/V pair, the format of ACL should be,

ip:inacl#=

"ip:inacl#1=permit tcp any any"

HTH

Do rate helpful posts-

shahedvoicerite — Thu, 17 Jun 2010 09:12:50 GMT

Thanks, but I already know that it IS possible in ACS.

My question is how do I *USE* this on an IOS router like a 2811. (As opposed to a PIX/ASA)

i.e What IOS commands do I enter, and where can I enter them, to make use of such ACLs.

I cant seem to find any docs on this, and the only "lock and key" dACL example, does not show how to download the ACL

from ACS.

At this point, I am not sure if this feature is even supported on IOS routers, or if its only for PIX/ASA

Thanks