https://community.cisco.com/t5/network-access-control/downloadable-acls/m-p/644778#M421517 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You will need to upgrade to 6.3(5):</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_not" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_not</A></P><P>ice09186a00805bf1c4.shtml</P><P> </P><P>As mentioned in the Field Notice above, the concern is that someone who knows the aclname could use that to get access to the network. Thus, the fix is to insist that the AAA client send 2 other cisco AVPs:</P><P></P><P>AAA:service=ip-admission</P><P></P><P>AAA:event=acl-download</P><P></P><P>In your case the PIX, which is not running the required code, didn't send these pairs, thus ACS complains.</P><P></P><P>Regards,</P><P>Vivek</P></BODY></HTML> Thu, 01 Mar 2007 17:24:09 GMT Vivek Santuka 2007-03-01T17:24:09Z https://community.cisco.com/t5/network-access-control/downloadable-acls/m-p/644774#M421513 <P>Hi,</P><P></P><P>I am trying to get downloadable ACLs to a PIX firewall using ACS version 3.3 to PIX 6.3(4) IOS version:</P><P>Here is my config for the PIX:</P><P>aaa-server ACSACCESS protocol tacacs+</P><P>aaa-server ACSACCESS (inside) host 10.25.0.30 c0nn3ctm3 timeout 15</P><P>access-list 111 permit ip 10.25.61.0 255.255.255.0 any</P><P>aaa authentication match 111 outside ACSACCESS</P><P>The subnet 10.25.61.0 is the EZVPN DHCP pool allocated to the EZVPN users.</P><P></P><P>Here is a screen dump of the ACS server config:</P><P></P><P>the commands take ok but when access through the VPN I get my WINS, DNS etc but cannot browse the network.</P><P></P><P>The IP addressing has been changed due to me displaying this on the internet.</P><P></P><P>Regards,</P><P>Darren.</P><P></P><P></P><P> </P><P></P> Sun, 10 Mar 2019 22:00:24 GMT https://community.cisco.com/t5/network-access-control/downloadable-acls/m-p/644774#M421513 5c5administrator 2019-03-10T22:00:24Z https://community.cisco.com/t5/network-access-control/downloadable-acls/m-p/644775#M421514 <HTML><HEAD></HEAD><BODY><P>hi,</P><P>i think you should configure the downloadable ACL on the ACS Server as described in the document (shared profile components);</P><P>You should also configure the pix as a radius Client for this feature (Radius CiscoIOS/PIX6.0).</P><P></P><P>Look at </P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html#wp391234" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html#wp391234</A></P><P>regards</P><P>alex</P></BODY></HTML> Sat, 24 Feb 2007 22:44:04 GMT https://community.cisco.com/t5/network-access-control/downloadable-acls/m-p/644775#M421514 at 2007-02-24T22:44:04Z https://community.cisco.com/t5/network-access-control/downloadable-acls/m-p/644776#M421515 <HTML><HEAD></HEAD><BODY><P>I am trying to configure Downloadable ACL using ACS4.0 on my PIX. The authentication works fine but I am getting the following message on my PIX:</P><P></P><P>"can't find authorization ACL ..."</P><P></P><P>and in the client browser:</P><P></P><P>"Error: acl authorization denied"</P><P></P><P>Please correct if I am wrong. Here is my understanding about DACL using RADIUS:</P><P></P><P>1. Add PIX as AAA Client in ACS (using Cisco IOS/PIX 6.0) as the protocol</P><P>2. configure authentication for http/ftp/telnet,etc. using RADIUS as the server-tag</P><P>3. Configure a DACL in Shared Network Profiles section of ACS</P><P>4. Check "Assign IP ACL" and select the configured ACL from drop down list</P><P>....and that is it!</P><P></P><P>Few Q's: Do we still need to configure TACACS+ settings like shell access and privilege level even though we are using RADIUS authentication?</P><P></P><P>I have configured TACACS shell access as well as priv lvl to 15.</P><P></P><P>Greatly appreciate any help...</P></BODY></HTML> Thu, 01 Mar 2007 16:50:36 GMT https://community.cisco.com/t5/network-access-control/downloadable-acls/m-p/644776#M421515 magurwara 2007-03-01T16:50:36Z https://community.cisco.com/t5/network-access-control/downloadable-acls/m-p/644777#M421516 <HTML><HEAD></HEAD><BODY><P>Update.....</P><P></P><P>I do see in ACS logs that Authentication failed for ACL where username is the ACL name sent by PIX. (#ACSACL#-IP-myACL-45e6c605).</P><P></P><P>The failure code is "DACL request from device is not acceptable"</P><P></P><P>I guess ACS is the one rejecting it! but WHY?</P></BODY></HTML> Thu, 01 Mar 2007 17:11:29 GMT https://community.cisco.com/t5/network-access-control/downloadable-acls/m-p/644777#M421516 magurwara 2007-03-01T17:11:29Z https://community.cisco.com/t5/network-access-control/downloadable-acls/m-p/644778#M421517 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You will need to upgrade to 6.3(5):</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_not" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_not</A></P><P>ice09186a00805bf1c4.shtml</P><P> </P><P>As mentioned in the Field Notice above, the concern is that someone who knows the aclname could use that to get access to the network. Thus, the fix is to insist that the AAA client send 2 other cisco AVPs:</P><P></P><P>AAA:service=ip-admission</P><P></P><P>AAA:event=acl-download</P><P></P><P>In your case the PIX, which is not running the required code, didn't send these pairs, thus ACS complains.</P><P></P><P>Regards,</P><P>Vivek</P></BODY></HTML> Thu, 01 Mar 2007 17:24:09 GMT https://community.cisco.com/t5/network-access-control/downloadable-acls/m-p/644778#M421517 Vivek Santuka 2007-03-01T17:24:09Z