https://community.cisco.com/t5/network-access-control/acs-server-6-0/m-p/74783#M9522 <HTML><HEAD></HEAD><BODY><P>Hi KK,</P><P></P><P>Here's how you do it:</P><P></P><P>Beginning with PIX software release 5.2, we can define access lists on the PIX, then apply them on a per-user basis based in the user profile on the server. TACACS+ requires authentication and authorization. RADIUS requires authentication only. In our example, we changed outbound authentication and authorization to TACACS+ and set up an access list on the PIX.</P><P></P><P>Note: Starting in PIX Version 6.0.1, if using RADIUS, the access-lists can also be implemented by entering the list in standard IETF RADIUS attribute 11 (Filter-Id) [CSCdt50422]. In this example, attribute 11 could be set to 115 in lieu of doing the vendor-specific "acl=115" verbiage.</P><P></P><P>PIX Configuration</P><P>access-list 115 permit tcp any host 99.99.99.2 eq telnet</P><P>access-list 115 permit tcp any host 99.99.99.2 eq www</P><P>access-list 115 permit tcp any host 99.99.99.2 eq ftp</P><P>access-list 115 deny tcp any host 99.99.99.3 eq www</P><P>access-list 115 deny tcp any host 99.99.99.3 eq ftp</P><P>access-list 115 deny tcp any host 99.99.99.3 eq telnet </P><P></P><P>CiscoSecure NT TACACS+</P><P>To add authorization to the PIX to control where the user can go with access lists, check shell/exec, check the Access control list box, and fill in the number (matches the access list number on the PIX). </P><P></P><P></P><P>CiscoSecure NT RADIUS</P><P>Radius/Cisco is the device-type. Our "pixa" user needs a username, a password, and a check and "acl=115" in the Cisco/Radius rectangular box where it says 009\001 AV-Pair (vendor-specific).</P><P></P><P></P><P></P><P>For more info, see: </P><P></P><P>Performing Authentication, Authorization, and Accounting of Users Through PIX Versions 5.2 and Later</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/atp52.html#pix-config" target="_blank">http://www.cisco.com/warp/public/110/atp52.html#pix-config</A></P><P></P><P>HTH</P><P>Jeff</P><P></P><P></P></BODY></HTML> Sat, 05 Oct 2002 22:44:59 GMT jekrauss 2002-10-05T22:44:59Z https://community.cisco.com/t5/network-access-control/acs-server-6-0/m-p/74782#M9520 <P>Hi,</P><P></P><P>I just read that downloadble ACL's do not work for VPN users and that it only helps in passthrough authentication. The workaround solution was to define the ACL on the pix and send down the ACL number on the ACS server. I have been lookking through the various options and could not locate the option for assigning the ACL number . All I see is an option to assign downloadble ACLS.</P><P></P><P>I would appreciate it if you gys could help me out.</P><P></P><P>Thanks</P><P>Karthik Krishnamurthy</P> Fri, 21 Feb 2020 18:04:15 GMT https://community.cisco.com/t5/network-access-control/acs-server-6-0/m-p/74782#M9520 Karthik.Krishnamurthy 2020-02-21T18:04:15Z https://community.cisco.com/t5/network-access-control/acs-server-6-0/m-p/74783#M9522 <HTML><HEAD></HEAD><BODY><P>Hi KK,</P><P></P><P>Here's how you do it:</P><P></P><P>Beginning with PIX software release 5.2, we can define access lists on the PIX, then apply them on a per-user basis based in the user profile on the server. TACACS+ requires authentication and authorization. RADIUS requires authentication only. In our example, we changed outbound authentication and authorization to TACACS+ and set up an access list on the PIX.</P><P></P><P>Note: Starting in PIX Version 6.0.1, if using RADIUS, the access-lists can also be implemented by entering the list in standard IETF RADIUS attribute 11 (Filter-Id) [CSCdt50422]. In this example, attribute 11 could be set to 115 in lieu of doing the vendor-specific "acl=115" verbiage.</P><P></P><P>PIX Configuration</P><P>access-list 115 permit tcp any host 99.99.99.2 eq telnet</P><P>access-list 115 permit tcp any host 99.99.99.2 eq www</P><P>access-list 115 permit tcp any host 99.99.99.2 eq ftp</P><P>access-list 115 deny tcp any host 99.99.99.3 eq www</P><P>access-list 115 deny tcp any host 99.99.99.3 eq ftp</P><P>access-list 115 deny tcp any host 99.99.99.3 eq telnet </P><P></P><P>CiscoSecure NT TACACS+</P><P>To add authorization to the PIX to control where the user can go with access lists, check shell/exec, check the Access control list box, and fill in the number (matches the access list number on the PIX). </P><P></P><P></P><P>CiscoSecure NT RADIUS</P><P>Radius/Cisco is the device-type. Our "pixa" user needs a username, a password, and a check and "acl=115" in the Cisco/Radius rectangular box where it says 009\001 AV-Pair (vendor-specific).</P><P></P><P></P><P></P><P>For more info, see: </P><P></P><P>Performing Authentication, Authorization, and Accounting of Users Through PIX Versions 5.2 and Later</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/atp52.html#pix-config" target="_blank">http://www.cisco.com/warp/public/110/atp52.html#pix-config</A></P><P></P><P>HTH</P><P>Jeff</P><P></P><P></P></BODY></HTML> Sat, 05 Oct 2002 22:44:59 GMT https://community.cisco.com/t5/network-access-control/acs-server-6-0/m-p/74783#M9522 jekrauss 2002-10-05T22:44:59Z https://community.cisco.com/t5/network-access-control/acs-server-6-0/m-p/74784#M9523 <HTML><HEAD></HEAD><BODY><P>Thanks . I will definately try that today and will let you know if it worked.</P><P></P><P>Karthik.</P></BODY></HTML> Mon, 07 Oct 2002 13:25:49 GMT https://community.cisco.com/t5/network-access-control/acs-server-6-0/m-p/74784#M9523 Karthik.Krishnamurthy 2002-10-07T13:25:49Z