Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1698
Views
0
Helpful
1
Replies

ACS 3.2 Restrict access by destination port/IP Address

c-hayward
Level 1
Level 1

‎12-29-2003 12:36 PM - edited ‎03-10-2019 07:36 AM

Can anyone suggest how I can restrict access using ACS TACACS+ to a destination port or IP Address? I restrict access by group. Each group has specific access to DMZ's on the NDG's that authorize through the ACS. Any ideas?

Labels:
0 Helpful
1 Reply 1

cgregg
Level 1
Level 1

‎12-29-2003 12:51 PM

The ACS supports downloadable ACLs via VSA (vender specific attributes).

For example you can configure the PIX firewall for authentication against the ACS, in turn the ACS looks up the users in a database then looks at itself for per users or per group ACLs, then the PIX applies them to the config in a dynamic manner. And once the connection is closed the ACL is removed from the config.

So you could create the standard or extended ACL and add it to the ACS user or group under NARs. But I believe you will need to enable these options "interface configuration\ Advance options\ Users\Group-Lever Network Access Restrictions.

This links is part of the ACS 3.2 user guide.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html

I hope this helped.

Curt

0 Helpful
Customers Also Viewed These Support Documents