Chapter 5 Shared Profile Components
Downloadable IP ACLs
5-8
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
This section contains the following topics:
• About Downloadable IP ACLs, page 5-8
• Adding a Downloadable IP ACL, page 5-10
• Editing a Downloadable IP ACL, page 5-13
• Deleting a Downloadable IP ACL, page 5-14
About Downloadable IP ACLs
Downloadable IP ACLs enable you to create sets of ACL definitions that you can
apply to many users or user groups. These sets of ACL definitions are called ACL
contents. Also, by incorporating NAFs, you can control the ACL contents that are
sent to the AAA client from which a user is seeking access. That is, a
downloadable IP ACL consists of one or more ACL content definitions, each of
which is either associated with a NAF or (by default) associated to all AAA
clients. (The NAF controls the applicability of specified ACL contents according
to the AAA client’s IP address. For more information on NAFs and how they
regulate downloadable IP ACLs see About Network Access Filters, page 5-2).
Downloadable IP ACLs operate as follows:
1. When Cisco Secure ACS grants a user access to the network, Cisco Secure
ACS determines whether a downloadable IP ACL is assigned to that user or
to that user’s group.
2. If Cisco Secure ACS locates a downloadable IP ACL assigned to the user or
the user’s group, it determines whether there is an ACL content entry
associated with the AAA client that sent the RADIUS authentication request.
3. Cisco Secure ACS sends as part of the user session RADIUS access-accept
packet an attribute specifying the named ACL and the version of the named
ACL.
4. If the AAA client responds that it does not have the current version of the
ACL in its cache (that is, the ACL is new or has changed), Cisco Secure ACS
sends the ACL (new or updated) to the device.
Downloadable IP ACLs are an alternative to configuring ACLs in the RADIUS
Cisco cisco-av-pair attribute [26/9/1] of each user or user group. You can create a
downloadable IP ACL once, give it a name, and then assign the downloadable IP
To Next Page
Loading...
Need help?
General