07-07-2008 06:05 AM - edited 03-10-2019 03:57 PM
Hi,
We installed a ACS v4.1 , we were trying to limit the access to authenticated users by using Downloadable IP ACL in a Catalyst 3750 with IOS version ipbasek9-mz.122-25.SEE4. The authentication part works fine with a external database (Wins AD) , but we want to limit the access to the network of some groups.
This can be done using Downloadable IP ACL ?
Thanks for any help
07-07-2008 09:42 AM
Yes, DACL's can be user here. To use a downloadable IP ACL on a particular AAA client, the AAA client must:
.Use RADIUS for authentication.
.Support downloadable IP ACLs.
Examples of Cisco devices that support downloadable IP ACLs are:
.PIX Firewalls
.VPN 3000-series concentrators, ASA and PIX devices
.Cisco devices running IOS version 12.3(8)T or greater
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs
40/user/c.htm#wp696809
Please note that downloadable ACLs are not supported on cat based switches.
If downloadable ACL's through shared profile doesn't work, define a cisco av-pair to create the downloadable acls.
Give this a try and see if it works. The format for the av-pair ACL is:
ex
ip:inacl#1=permit ip 1.1.1.0 0.0.0.255 9.9.9.0 0.0.0.255
Regards,
~JG
Do rate helpful posts.
07-07-2008 10:05 AM
JG, I did the shared profile configuration, but I didnt do nothing in the Catalyst 3750 just these commands:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa session-id common
dot1x system-auth-control
.
.
interface fas1/0/7
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
dot1x timeout reauth-period 60
dot1x reauthentication.
radius-server host 10.1.0.19 auth-port 1645 acct-port 1646 key cisco
radius-server source-ports 1645-1646
!
Do I need to configure something else in the switch ?
Thanks for any help
07-07-2008 10:12 AM
This "Downloadable IP ACL" does NOT work on a 3750 on ports enabled for 802.1X. For 802.1X, you have 2 choices:
1) Use the Filter-ID attribute from RADIUS, and download the name/number of an ACL that's already configured on the switch.
2) Configure the [026\009\001] directly with the needed ACL.
This will help:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide