Several downloadable ACLs by ACS user group

Similar Questions

• Download ACL for VPN users. ACS 4.1 & 1841 router

  Hello

  I have configured the router 1841 as a VPN server. All VPN users get authenticated using RADIUS ACS 4.1

  I need to apply downloadable ACLs by user.

  I configured the Downlodabale ACL ACS. Same ACS event report shows that the ACL is applied to the authenticated user, but traffic is not blocked or past accordingly.

  What is your configuration?

  I think that the more easy to do is to use IPSEC TIV in interfaces, as well as the aaa authorization network and on the radius server, use ip:inacl to the cisco av pair, as

  IP:inacl #1 = permit tcp any any eq 80

  IP:inacl #2 = permit tcp any any eq 443

  ...

  Some documents:

  http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1090634

• Downloadable ACLs on ACS 3.3

  Hello world. I'm having a problem with a downloadable ACLs on our ACS 3.3 editing.

  Whenever I try to edit an ACL in the profile of the shared component, I add what I need and then click on send, but the changes do not seem to save... As soon as I go to another menu, my changes are gone. Is there something that I forget?

  Thank you!

  Hello

  After you change the ACL and you click on 'submit' on the page with header

  Content downloadable IP ACL

  You must then click 'submit' again on the page it takes you to cost you IE. that led

  Downloadable IP ACL

  HTH

  Jon

• The ACS user groups

  I have a problem.

  We have 2 groups that are created in ACS, group 1: access Ganymede and 2:Radius Access group. Group 1 has the people that have been created on the server ACS itself. The 2nd group is dynamic to users who are enabled access through Manager users for domains. We do not want to have the 2nd group in order to access our routers and switches with their Accounts of Microsoft, they can now, at least insofar as, at the prompt to activate it. I wish I had 2 completely independent from the other groups. Our group 1 is used only for our administrators to have access to all of our network devices.

  I'm sure some type of filtering or to a group of addresses IP could be implemented on GBA, but I'm not sure where, if this is the case.

  Can someone please!

  Thank you!

  Matt

  You must set up Network Access Restrictions (NAR), group 2 to not be able to access the routers/switches to restrict.

  Make sure the Group and level NAR is checked under the Interface of configuration - Advanced Options. Then go under Group 2, NAR section, check the box "Set IP access restrictions", select Table sets 'Appeal denied Points', and then select each of the routers/switches, using a * for the Port and address and add them to the table.

  It doesn't matter that in Group 2 will refuse to authenticate on one of the routers/switches.

• Download ACL ACS 5.2

  Hi all

  How many lines ACL is possible configure in downloadable ACL in ACS 5.2?

  Best regards

  Evandro.

  Hello

  GBA 5.x, you have 2 ways to send ACLs and the other has no limit and the other.

  The limitation is the maximum size of 4096 bytes, which can have a RADIUS packet.

  Option 1 - VSA Cisco. Supported by older versions of IOS.

  / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; do-size: 10.0pt; do-family: "Times New Roman", "serif" ;} "}

  Basically, you need to use Cisco VSA attributes in the format like for example:

  IP:inacl #100 = udp allowed any any eq bootps

  IP:inacl #200 = udp allowed any any eq field

  IP:inacl #300 = permit ip any host 192.168.80.2

  IP:inacl #400 = permit ip host 192.168.80.2 all

  IP:inacl #500 = deny ip any one

  ' 1) go to: "elements of strategy >... > authorization and permissions > network > authorization profiles > create and on the"common tasks"make sure that you use no name of downloadable ACL (see screenshot).

  (2) then the RADIUS attribute tab enter the ACL line-by-line (see screenshot).

  Then, you link the authorization profile to access the Service.

  Step 1:

  

  Step 2:

  

  Option 2 - DACL. Here, the ACL is fragmented into several packages if necessary RADIUS. This is supported by the IOS devices on the latest versions of IOS: 12.2 (33) SXI on the Catalyst 6500, 4500 catalyst release 12.2 (50) SG and then on Catalyst 3750/3560 and 2960 families on 12.2 (50) SE.

  1) go to: ' policy elements > authorization and permissions > named Permission objects > downloadable ACL "and create a dACL (see screenshot).
  "" 2) go to: "elements of strategy >... > authorization and permissions > network access > authorization profiles > Create" list dACL for a link to the authorization profile (see screenshot).
  Then, you link the authorization profile to access the Service.

  Step 1:
  

  Step 2:
  

  Full configuration example:

  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/Whitepaper_c11-532065.html.

  Hope this helps,

  Tiago

  --

  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• Download ACL GBA 5.2 using authentication for 802. 1 x

  Hi all

  I configured ACS 5.2 for authentication authentication of 802. 1 x. It works as well, getting customers belong to their VLAN respective after a successful authentication.

  Now I want to assign downloadable ACLs for particular users can someone help me in the downloadable ACLs configuration GBA 5.2.

  Any feedback is much appreciated.

  Thanks in advance,

  Selva.

  Hi Selva,

  Based on that you want to assign the DACL? based on the user name? Group?... etc?

  This document will be useful for you:

  http://tiny.cc/ogrxvw

  ignore the part of the SAA. concentrate on the config of the ACS.

  The doc use ASA as the AAA client. The difference is that you use a switch. but the idea is the same.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• Downloadable ACLs for users of VPN

  Hello

  I replaced the old pix with ASA (7.2). There were groups configured for the remote VPN users authenticated through the ACS and ACS download a specific ACL for each group to the PIX. After the replacement, users cannot establish the VPN connection. After troubleshooting, I discovered that the downloadable ACLs were not working very well. When I disabled this option the established tunnel. When I get back to the old pix with the same configuration, it works very well with downloadable ACL option. I opened a TAC case and he said the v3.0 ACS (I) are not compatible with the ASA. He did not really convince me and he asked to try to use the option to pair AV. I tried option pair AV with ASA and it did not work also. can you please advice.

  Hello

  Check out this point,

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCef21184

  In addition, 3.0 is very old, and I guess that in this version, we have "Downloadable PIX ACL" and not "downloadable IP ACL", on ASA download able ACL will work but with "Downloadable IP ACL" but not with "Downloadable PIX ACL".

  Kind regards

  Prem

• Why ACS can not display page downloadable ACLs

  Hello

  I have a GBA for windows, version 4.0.1.27.

  After successful installation, I found there is not point of downloadable ACLs in the shared component profile? I can see his support on the right place.

  Why not configure downloadable ACLs in this ACS, y at - it all the other work I have to do?

  THX

  Hello

  Try this.

  Configuration of the interface-> Advanced Options

  Click the check box for

  Download ACL user level

  Group and level downloadable ACLs

  Click on submit

  Then go back to the shared profile components and it should now be an option.

  HTH

  Jon

• ASA5520 and ACS 4.0 - AnyConnect WebVPN (Clientless SSL Tunnel) does not downloadable ACLs (DACL)

  I'm having a lot of problems called "Clientless SSL-Tunnel" AnyConnect VPN sessions - i.e. those that are enacted by visit https:// via a browser, and let the Java/ActiveX plugin will automatically run Fat Client AnyConnect VPN for you - downloadable ACL honor.

  Our installation is integrated via RADIUS Cisco ACS 4.0.

  Dynamic group-> connection profile strategy seems to work for either (direct according to AnyConnect VPN Client heavy or indirectly via a browser-> /Java Client ActiveX), however, our only downloadable ACL take affect if the user instantiates the SSL VPN via AnyConnect VPN Client Fat; first of all, users who access the site through the "Browser-> https://" route seem to have no ACLs applied to all?

  I understand that I can change the custom "Cisco VPN/3000/etc" parameters RADIUS, such as 'WebVPN-filters' and 'WebVPN-Access-List' to apply an ACL configured locally on the firewall of the SAA, but what I have to configure to make the sessions ' WebVPN/Clientless-SSL-Tunnel"to honor the DACL that sends our ACS?

  It is a known problem with some Software ASA Versions see bug cisco CSCtv19046 - DACL is not applied to acre during connection via the Web portal. You probably need to update your ASA 8.4 (4.1) or a later version.

• ACS and download ACL for multiple clients-AAA

  Hello!

  I need to know if it is possible to download ACL on the DACL device that is not a part of the conversation of RADIUS? In other words, I have a user who needs access to certain resources and attempts to connect to the network via PIX1. I need to authenicate it by ACS and download ACL PIX1 and (attention) PIX2 also (some firewalls upstream). Is it possible to do?

  I don't think that you can do. As you mentioned that the other PIX has no Radius configuration. And you can push only DACL of the Radius on the PIX server, she asks, not in any other PIX.

  And I'm not aware of any mechanism or feature, which allows you to transfer the downloaded ACL of one PIX to another.

  Kind regards

  Prem

• Integration of Cisco ACS and Cisco NAC Manager - downloadable ACLs

  Hello

  I have Setup Cisco NAC in my environment. These are all works well. The users themselves will get authenticated via Cisco NAC Manager. The Cisco NAC Manager meets with Cisco ACS for the part of the user database. These are all works well. I would like to activate downloadable ACLs. I tried to use the CISCO-AV-PAIR method and creating a downloadable ACL entry in the shared components, but nothing works. It's either I'm doing wrong or this configuration of the mine does not support downloadable ACLs? Please advice kindly.

  Kind regards

  RAM

  + 6 012-2918870

  Hello

  It is not possible.

  You cannot push the ACL in the NAC manager.

  If you make the Radius of NAC authentication manager, you can do is create roles the NAC Manager, and on the roles you define traffic strategies.

  Using the Radius attributes you can then map users to roles.

  Please, take a look at this:

  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Downloadable ACLs for users?

  Hi all

  5.4 ACS, I need ACL customized for users.

  My scenario:

  There is a way to use some "downloadable ACL" profile of permission but I want to set specific ACLs for some exceptions. For example: the user A and user B obtain permission profile 'X '. But user B is not allowed to access a host. This 'refusal rule' I will configure with custom in the internal user store attributes.

  Is this possible? How can I implement this rule?

  Best regards

  Stefan

  Hello

  You can do this by following these steps:

  1. define a user attribute of Dictionary defined under the Administration of the system > dictionary > identity > internal users call him what you want and make sure that the value is a string

  2. create the DACL in the objects of the Authority appointed under section of the political elements

  3. under the user account you will see now one filed for the dictionary name you call in step 1, make sure that the domain is the DACL, that you created in step 2

  4. create your dynamic authorization under "common tasks" defined profile as the decline of the low DACL select internal users and set the value to the attribute that you created in step 1.

  5 card authorization policy to the access policy using the conditions that will give you these results.

  6 test and you should have what you are looking for.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• is Tsinternet user group, download manager, and NNTP service does not participate in 2008 if server windows Yes... Please give me the link of reference

  Required link that support it, upload, Tsinternet user group manager and the NNTP service is not longer involved in windows server 2008

  Hi HP_990,

  I would suggest to repost your question in our forums Windows Server TechNet here:

  http://social.technet.Microsoft.com/forums/en/category/WindowsServer

  Thank you!

• ASA auth-proxy Radius and downloadable ACLs

  Hello

  I want to have ACLs that decide what traffic to allow after authorization auth-proxy.

  1. What are the options I have to ASA + ACS?

  2. can I use auth-proxy on SAA with the CSA and download RADIUS and ACLs?

  3. can I use auth-proxy on SAA with the ACS and Ray 01/09/00-cisco-av-pair (will be ASA understeand it?)

  4. can I use auth-proxy on ASA attrbuts auth-proxy ACS and Ganymede (with ACLs)?

  Thanx

  Hello

  Take a look at this guide to see if that helps answer your question. You can use the downloadable ACLs or the cisco av pair, I saw that the cisco-av-pair method works a little better because he has the user name who logged in as part of the acl which facilitates troubleshooting.

  http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/access_fwaaa.html#wp1150820

  Thank you

  Tarik Admani

• Assign several handlers to a single user in Captivate premium

  Is it possible to assign several handlers to a single user in Captivate premium?

  I have a group of users, where I need 3 managers to have access to a group of users (all 3 managers are educators of customer).

  I want to know if I can add three (separated by commas) Manager ID in the CSV download, or if I can perform this action in the user interface of the first, once users have been downloaded.

  Thanks in advance.

  Hello

  We cannot assign several handlers to a user.

  If we add a comma with the Manager separate ID to will gives us the error when loading the CSV.

  Here is the screenshot for the same thing.

  

  Thank you