Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1651
Views
0
Helpful
2
Replies

ACS Server 6.0

Karthik.Krishnamurthy
Level 1
Level 1

‎10-04-2002 10:38 AM - edited ‎02-21-2020 10:04 AM

Hi,

I just read that downloadble ACL's do not work for VPN users and that it only helps in passthrough authentication. The workaround solution was to define the ACL on the pix and send down the ACL number on the ACS server. I have been lookking through the various options and could not locate the option for assigning the ACL number . All I see is an option to assign downloadble ACLS.

I would appreciate it if you gys could help me out.

Thanks

Karthik Krishnamurthy

Labels:
0 Helpful
2 Replies 2

jekrauss
Level 1
Level 1

‎10-05-2002 03:44 PM

Hi KK,

Here's how you do it:

Beginning with PIX software release 5.2, we can define access lists on the PIX, then apply them on a per-user basis based in the user profile on the server. TACACS+ requires authentication and authorization. RADIUS requires authentication only. In our example, we changed outbound authentication and authorization to TACACS+ and set up an access list on the PIX.

Note: Starting in PIX Version 6.0.1, if using RADIUS, the access-lists can also be implemented by entering the list in standard IETF RADIUS attribute 11 (Filter-Id) [CSCdt50422]. In this example, attribute 11 could be set to 115 in lieu of doing the vendor-specific "acl=115" verbiage.

PIX Configuration

access-list 115 permit tcp any host 99.99.99.2 eq telnet

access-list 115 permit tcp any host 99.99.99.2 eq www

access-list 115 permit tcp any host 99.99.99.2 eq ftp

access-list 115 deny tcp any host 99.99.99.3 eq www

access-list 115 deny tcp any host 99.99.99.3 eq ftp

access-list 115 deny tcp any host 99.99.99.3 eq telnet

CiscoSecure NT TACACS+

To add authorization to the PIX to control where the user can go with access lists, check shell/exec, check the Access control list box, and fill in the number (matches the access list number on the PIX).

CiscoSecure NT RADIUS

Radius/Cisco is the device-type. Our "pixa" user needs a username, a password, and a check and "acl=115" in the Cisco/Radius rectangular box where it says 009\001 AV-Pair (vendor-specific).

For more info, see:

Performing Authentication, Authorization, and Accounting of Users Through PIX Versions 5.2 and Later

http://www.cisco.com/warp/public/110/atp52.html#pix-config

HTH

Jeff

0 Helpful

Karthik.Krishnamurthy
Level 1
Level 1

‎10-07-2002 06:25 AM

Thanks . I will definately try that today and will let you know if it worked.

Karthik.

0 Helpful
Customers Also Viewed These Support Documents