Re: downloadable ACL

lbubblel · ‎04-11-2006

Hi guys,

I'm configuring a ACS 4.0 server and a PIX with IOS 6.3 to authenticate

the users and not their IP address.I have configured ACS and PIX to

authenticate the users from Microsoft Active Directory and everything

seem work very well.

Now i wanna put some ACL.

I have configured the downloadable ACL on the ACS and i have enable

users and groups to use them. But when on the pix i write show

access-list i can not see the ACL that i expect there. Then i have

check the reports in ACS and see that the user is authenticated and the

ACL is assigned but in failed attemps i read "DACL request from device

is not acceptable".

My questions are :

Do I need put something else on the pix for accept ACLs?

The normal ACL are enable for interface "access-group in in interface

inside", with Donwloaddable ACl where do i put the interface fr

enabling them?

Can someone give me some exemple about these my questions, please?

Thanks a lot for yours answers.

m.singer · ‎04-17-2006

You might have to configure additional parameters. This URL will be useful.

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddcb.html

dave.jones · ‎04-19-2006

This maybe of some interest to you.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddaf8ce/2#selected_message

Make sure you have a permit statement to the virtual address and failing that place a packet sniffer on the AAA server. The transaction from the PIX should only be a single Radius accept packet at a time if the PIX is sending out duplicate access-request packets with the same packet ID the ACS server will reject the request and produce the message you are seeing.

Hope this helps