Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1846
Views
0
Helpful
4
Replies

Downloadable Access-list

kanwar
Level 1
Level 1

‎08-23-2006 07:30 PM - edited ‎03-10-2019 02:43 PM

HI,

I have created a one line downloadble access-list in Cisco ACS to deny a host. deny tcp any host 192.168.115.1 eq 22 and assinged it to a user and group. when I try ssh it should be denied but it works. Thx for the help in advance

Labels:
0 Helpful
4 Replies 4

andrew.burns
Level 7
Level 7

‎08-24-2006 04:21 AM

Hi,

What platform is requesting the ACL? is the ACL actually downloading? (show access-lists should show an access-list starting with #ACSACL#).

Do you have the keyword "per-user-override" defined on the access-group?

HTH

Andrew.

0 Helpful

kanwar
Level 1
Level 1
In response to andrew.burns

‎08-24-2006 08:27 AM

It is windows XP running a ssh client to connect to the Cisco devices. The downloadable access-list is ceated using Cisco ACS server. Thanks for your help

0 Helpful

andrew.burns
Level 7
Level 7
In response to kanwar

‎08-25-2006 12:41 AM

Hi,

A downloadable acl can only be downloaded to an aaa-client that supports it (i.e. pix/asa/router/etc.) so I was just wondering what aaa-client is configured to request the ACL?

Andrew.

0 Helpful

darpotter
Level 5
Level 5
In response to andrew.burns

‎08-25-2006 11:47 AM

There's a few things you can check

1) the device is typed in the network config correctly... must be a device that supports DACLs.

2) If you run csradius -z -p from the command line you should see the access accept include a Cisco VSA that gives the device the name of the DSCL

3) You should then see a further access request from the device to pull down the DACL content.

Darran

0 Helpful
Customers Also Viewed These Support Documents