Re: Downloadable Access-list

kanwar · ‎08-23-2006

HI,

I have created a one line downloadble access-list in Cisco ACS to deny a host. deny tcp any host 192.168.115.1 eq 22 and assinged it to a user and group. when I try ssh it should be denied but it works. Thx for the help in advance

andrew.burns · ‎08-24-2006

Hi,

What platform is requesting the ACL? is the ACL actually downloading? (show access-lists should show an access-list starting with #ACSACL#).

Do you have the keyword "per-user-override" defined on the access-group?

HTH

Andrew.

kanwar · ‎08-24-2006

It is windows XP running a ssh client to connect to the Cisco devices. The downloadable access-list is ceated using Cisco ACS server. Thanks for your help

andrew.burns · ‎08-25-2006

Hi,

A downloadable acl can only be downloaded to an aaa-client that supports it (i.e. pix/asa/router/etc.) so I was just wondering what aaa-client is configured to request the ACL?

Andrew.

darpotter · ‎08-25-2006

There's a few things you can check

1) the device is typed in the network config correctly... must be a device that supports DACLs.

2) If you run csradius -z -p from the command line you should see the access accept include a Cisco VSA that gives the device the name of the DSCL

3) You should then see a further access request from the device to pull down the DACL content.

Darran