Sample Configuration Guide for Cisco Secure ACS and PIX Firewall - ACLs with RADIUS [Cisco Secure Access Control Server for Windows]

Table Of Contents

ACLs with RADIUS

Example Network

RADIUS Specification of Local ACLs

About RADIUS Specification of Local ACLs

PIX Firewall RADIUS Specification of Local ACLs

Cisco Secure ACS RADIUS Specification of Local ACLs

RADIUS ACLs using the Cisco AV Pair

About RADIUS ACLs using the Cisco AV Pair

Cisco Secure ACS RADIUS ACLs using the Cisco AV Pair

PIX Firewall RADIUS ACLs using the Cisco AV Pair

RADIUS Downloadable ACLs

About RADIUS Downloadable ACLs

Cisco Secure ACS RADIUS Downloadable ACLs

PIX Firewall RADIUS Downloadable ACLs for Outbound RADIUS

ACLs with RADIUS

This chapter describes three methods for creating access control lists (ACLs) and applying them to users depending upon RADIUS authorization. The introduction to each method explains of the merits and weaknesses of the method.

Regardless of the method used, using CiscoSecure AccessControlServer (ACS) to apply ACLs to RADIUS-authenticated users enables you to tailor ACLs to specific users or to groups of users. For example, members of different departments, such as engineering and marketing, might require different access to the outside interface. In this chapter, the example given limits members of the engineering department to access servers on the 209.165.201.0 network but not to the Internet. The wide-open access to computers on the outside interface is thus limited by using ACLs that are specified by CiscoSecure ACS.

This chapter contains the following topics:

• Example Network

• RADIUS Specification of Local ACLs

• RADIUS ACLs using the Cisco AV Pair

• RADIUS Downloadable ACLs

Example Network

As with the other chapters in this guide, Figure3-1 illustrates the network configuration used in this chapter. It is included in this chapter, too, for you convenience.

Figure 3-1 Example Network

RADIUS Specification of Local ACLs

This section describes how to assign ACLs to users by specifying in CiscoSecure ACS a named ACL set that exists on the PIXFirewall.

This section contains the following topics:

• About RADIUS Specification of Local ACLs

• PIXFirewall RADIUS Specification of Local ACLs

• CiscoSecure ACS RADIUS Specification of Local ACLs

About RADIUS Specification of Local ACLs

Using RADIUS to assign named ACL sets to users whose sessions transit the PIXFirewall enables the AAA server to control which ACLs are assigned, it has two drawbacks that limit its use in a network with more than one PIXFirewall:

1. The named ACLs would have to be created on each PIXFirewall that uses the AAA server to assign the ACLs. Depending upon how complex your ACL scheme is and how many PIXFirewalls you have, this approach could become very cumbersome to maintain.

2. The names of the ACLs must be kept identical on all PIXFirewalls involved in the AAA scheme and on the AAA server itself. When you configure the AAA server, you might find it inconvenient to have to log in to the PIXFirewall to verify the names and content of the ACLs you want to assign to groups or users.

If a PIXFirewall receives ACLs by other methods in addition to RADIUS specification of local ACLs, the PIXFirewall behaves as follows:

1. If ACLs are received in the Cisco AV pair, PIXFirewall uses the ACLs from the Cisco AV pair and ignores all others.

2. If ACLs are received by two or more other methods not including ACLs sent in the Cisco AV pair, PIXFirewall uses last ACLs received in the RADIUS packet.

PIX Firewall RADIUS Specification of Local ACLs

You can configure the PIXFirewall to apply locally defined ACLs based on the ACL set name provided in the RADIUS response from CiscoSecure ACS. This method of applying ACLs requires that you use the access-list command. In the example network, ACLs are to permit access from any system on the inside interface of the PIXFirewall to access the systems shown on the outside interface of the PIXFirewall.

Assuming you wanted to give access to these servers to users belonging to the engineering department, you could name the ACL set eng . The name allows the RADIUS authorization message to refer to the ACL set by name. The following commands would create the eng ACL set:
access-list eng permit ip any 209.165.201.2 255.255.255.255

access-list eng permit ip any 209.165.201.3 255.255.255.255

access-list eng permit ip any 209.165.201.4 255.255.255.255

access-list eng permit ip any 209.165.201.5 255.255.255.255

access-list eng deny ip any any

access-list eng remark Permits access to outside servers for Engineering dept.
When a user requests access from the inside interface to the outside interface of the PIXFirewall and CiscoSecure ACS authenticates the user and specifies the ACL set named eng , the PIXFirewall applies the eng ACL set to the user session.

Cisco Secure ACS RADIUS Specification of Local ACLs

In Group Setup, edit the group whose users are to be limited to the access granted by the ACL set created in PIXFirewall RADIUS Specification of Local ACLs.

Before You Begin

This procedure assumes that you have correctly assigned engineering department users to the group that you will use to specify the named ACL set. You can accomplish this by configuring each user profile either to specify the group explicitly or to rely on group mapping to assign the group correctly after external user authentication has occurred. For information about external user authentication and group mapping, see the applicable CiscoSecure ACS user guide.

To specify a named ACL set for a CiscoSecure ACS group, follow these steps:

Step1 Click Group Setup .

Step2 From the Group list, select the group that you want to assign engineering department members to.

Tip Select Rename Group , change the group name to Engineering , and click Submit . Later, you can find the group by its name rather than having to remember the number of the group you meant to assign engineers to.

Step3 Select Edit Settings .

The Group Settings page for the group selected appears.

Step4 From the Jump To list, select RADIUS (IETF) .

The browser scrolls to the IETF RADIUS Attributes table on the Group Settings page.

Step5 Select the [011] Filter-Id check box.

This specifies that CiscoSecure ACS should send RADIUS attribute number 11 in its response when it successfully authenticates a user with RADIUS.

Step6 In the [011] Filter-Id box, type acl=eng .

This defines what CiscoSecure ACS will send in the Filter-Id attribute. The PIXFirewall will recognize "acl=" and assign to the authenticated user the ACL set with a name that matches the text following "acl=".

Step7 Click Submit + Restart .

CiscoSecure ACS saves the group settings changes and begins including the IETF RADIUS Filter-Id attribute in authentication responses for users assigned to the group you modified.

RADIUS ACLs using the Cisco AV Pair

This section describes how to send ACLs from CiscoSecure ACS to the PIXFirewall for application to the user authenticated by RADIUS.

This section contains the following topics:

• About RADIUS ACLs using the Cisco AV Pair

• CiscoSecure ACS RADIUS ACLs using the Cisco AV Pair

• PIXFirewall RADIUS ACLs using the Cisco AV Pair

About RADIUS ACLs using the Cisco AV Pair

Sending ACLs using the Cisco AV pair uses unnamed ACLs and the AAA server sends the whole ACL set each time the user authenticates. Sending ACLs in the RADIUS response is more scalable than that presented in RADIUS Specification of Local ACLs; however, it has two drawbacks:

1. Each ACL set cannot be larger than 4096 characters and may be considerably more limited, depending upon the other RADIUS attributes in the response and their content. This is because RADIUS packets cannot exceed 4096 characters, per IETF RFCs for RADIUS.

2. If group management in CiscoSecure ACS becomes complex, you may have to create the same ACLs in multiple groups. While they would be centralized rather than scattered across multiple PIXFirewalls, the maintenance overhead could still be significant.

If a PIXFirewall receives ACLs in the Cisco AV pair of a RADIUS access-accept packet, ACLs received by other methods in the same packet, such as downloadable ACLs and specification of local ACLs, are ignored.

Cisco Secure ACS RADIUS ACLs using the Cisco AV Pair

Using the Cisco RADIUS AV Pair to send ACLs consists of defining ACLs in the content of an outbound RADIUS vendor-specific attribute (VSA) for Cisco IOS/PIX RADIUS. The attribute that must be used is attribute 1. When enabled, this attribute appears in user or group settings as [009\001] cisco-av-pair. "009" refers to the vendor ID for Cisco IOS/PIX RADIUS. "001" refers to the VSA number.

When CiscoSecure ACS successfully authenticates a user whose user or group profile has this attribute enabled, CiscoSecure ACS sends the attribute in its response to the PIXFirewall, provided that AAA client entry for the PIXFirewall specifies RADIUS (Cisco IOS/PIX) in its Authenticate Using list.

Before You Begin

This procedure assumes that you have correctly assigned engineering department users to the group that you will use to specify the named ACL. You can accomplish this by configuring each user profile either to specify the group explicitly or to rely on group mapping to assign the group correctly after external user authentication has occurred. For information about external user authentication and group mapping, see the applicable CiscoSecure ACS user guide.

To configure the Cisco RADIUS AV Pair to send ACLs, follow these steps:

Step1 Click Group Setup .

Step2 From the Group list, select the group that you want to assign engineering department members to.

Tip Select Rename Group , change the group name to Engineering , and click Submit . Later, you can find the group by its name rather than having to remember the number of the group you meant to assign engineers to.

Step3 Select Edit Settings .

The Group Settings page for the group selected appears.

Step4 From the Jump To list, select RADIUS (Cisco IOS/PIX) .

The browser scrolls to the Cisco IOS/PIX RADIUS Attributes table on the Group Settings page.

Step5 Select the [009\001] cisco-av-pair check box.

This specifies that CiscoSecure ACS should send the Cisco RADIUS VSA number 1 in its response when it successfully authenticates a user with RADIUS.

Step6 In the [009\001] cisco-av-pair box, type the following:
ip:inacl#100=permit ip any 209.165.201.2 255.255.255.255

ip:inacl#200=permit ip any 209.165.201.3 255.255.255.255

ip:inacl#300=permit ip any 209.165.201.4 255.255.255.255

ip:inacl#400=permit ip any 209.165.201.5 255.255.255.255

ip:inacl#500=deny ip any any
Tip In this sample code, incrementing the ACL line number by 100 allows for future addition of other ACLs without forcing you to renumber the existing lines.

This defines what CiscoSecure ACS will send in the cisco-av-pair VSA. The PIXFirewall will recognize the ACLs and assign them to the authenticated user.

Step7 Click Submit + Restart .

CiscoSecure ACS saves the group settings changes and begins including the RADIUS cisco-av-pair VSA in Cisco IOS/PIX RADIUS authentication responses for users assigned to the group you modified.

PIX Firewall RADIUS ACLs using the Cisco AV Pair

Aside from enabling RADIUS authentication, as shown in PIXFirewall Configuration for Outbound RADIUS Authentication, this means of deploying centralized ACLs requires no further configuration on the PIXFirewall. Provided that RADIUS authentication is configured correctly on the PIXFirewall and that the ACLs defined in the cisco-av-pair VSA are formatted correctly, the PIXFirewall applies them automatically.

For information about how PIXFirewall interprets and applies ACLs sent in the cisco-av-pair VSA, see the configuration guide for your PIXFirewall.

RADIUS Downloadable ACLs

This section describes how to use the Downloadable IP ACL feature in CiscoSecure ACS to assign ACLs to a RADIUS-authenticated PIXFirewall user.

This section contains the following topics:

• About RADIUS Downloadable ACLs

• CiscoSecure ACS RADIUS Downloadable ACLs

• PIXFirewall RADIUS Downloadable ACLs for Outbound RADIUS

About RADIUS Downloadable ACLs

Downloadable ACLs is the most scalable means of using CiscoSecure ACS to provide the appropriate ACLs for each user. It provides the following:

•Unlimited ACL size —Downloadable ACLs are sent using as many RADIUS packets as required to transport the full ACL set from CiscoSecure ACS to the PIXFirewall.

•Centralized control of ACLs on the AAA server.

•Simplified management of ACLs on the AAA server —Downloadable ACLs enable you to write a set of ACLs once and apply it to many user or group profiles.

This approach is most useful when you have very large ACL sets that you want to apply to more than one CiscoSecure ACS user or group; however, its ability to simplify CiscoSecure ACS user and group management makes it useful for ACL sets of any size.

If a PIXFirewall receives ACLs by other methods in addition to RADIUS specification of local ACLs, the PIXFirewall behaves as follows:

1. If ACLs are received in the Cisco AV pair, PIXFirewall uses the ACLs from the Cisco AV pair and ignores all others.

2. If ACLs are received by two or more other methods not including ACLs sent in the Cisco AV pair, PIXFirewall uses last ACLs received in the RADIUS packet.

Cisco Secure ACS RADIUS Downloadable ACLs

Configuring downloadable ACLs in CiscoSecure ACS consists of creating the set and applying the set to the appropriate group profile.

Note This section assumes that you have correctly assigned engineering department users to the group that you will use to specify the named ACL. You can accomplish this by configuring each user profile either to specify the group explicitly or to rely on group mapping to assign the group correctly after external user authentication has occurred. For information about external user authentication and group mapping, see the applicable CiscoSecure ACS user guide.

This section contains the following topics:

• Creating the Downloadable ACL Set

• Applying the Downloadable ACL Set to a Group

Creating the Downloadable ACL Set

CiscoSecure ACS provides downloadable ACL sets as a means of configuring sets of ACLs that can be applied to many user or group profiles. For this example, the ACLs required to limit access for engineering department members are given. You can add or remove ACLs from a downloadable ACL set as needed.

To create the downloadable ACL set, follow these steps:

Step1 Make sure the downloadable IP ACL feature is enabled. To do so, follow these steps:

a. Click Interface Configuration and then click Advanced Options .

b. Select the Group-Level Downloadable ACLs check box.

c. Click Submit .

Where applicable, the CiscoSecure ACS HTML interface displays features related to downloadable IP ACLs.

Step2 Click Shared Profile Components click Downloadable IP ACLs , and then click Add .

The page for adding a downloadable ACL set appears.

Step3 In the Name box, type Outside Svrs. Allowed .

Step4 In the Description box, type Permits access only to our servers outside the PIX .

Step5 In the ACL Definitions box, type the following:
permit ip any 209.165.201.2 255.255.255.255

permit ip any 209.165.201.3 255.255.255.255

permit ip any 209.165.201.4 255.255.255.255

permit ip any 209.165.201.5 255.255.255.255

deny ip any any
Step6 Click Submit .

CiscoSecure ACS saves the downloadable ACL set. You can apply it by name to group or user profiles.

Applying the Downloadable ACL Set to a Group

After you have created the downloadable ACL set in Creating the Downloadable ACL Set, you must associate it with the group that contains the members of the engineering department. This procedure provides the steps to do so.

To apply the shell command authorization set, follow these steps:

Step1 Click Group Setup .

Step2 From the Group list, select the group that you want to assign engineering department members to.

Tip Select Rename Group , change the group name to Engineering , and click Submit . Later, you can find the group by its name rather than having to remember the number of the group you meant to assign engineers to.

Step3 Select Edit Settings .

The Group Settings page for the group selected appears.

Step4 From the Jump To list, select Downloadable ACLs .

The browser scrolls to the Downloadable ACLs table on the Group Settings page.

Step5 In the Downloadable ACLs table, select the Assign IP ACL check box.

Step6 From the Assign IP ACL list, select Outside Svrs. Allowed .

CiscoSecure ACS will use the downloadable ACL set named "Outside Svrs. Allowed" to send ACLs to the PIXFirewall when members of the Engineering group authenticate. You created the Outside Svrs. Allowed set in Creating the Downloadable ACL Set.

Step7 Select Submit + Restart .

CiscoSecure ACS saves the group settings, restarts services, and begins enforcing the group settings.

PIX Firewall RADIUS Downloadable ACLs for Outbound RADIUS

Aside from enabling RADIUS authentication, as shown in PIXFirewall Configuration for Outbound RADIUS Authentication, downloadable ACLs requires no further configuration on the PIXFirewall. Provided that RADIUS authentication is configured correctly on the PIXFirewall, the PIXFirewall applies them automatically.

For information about how PIXFirewall interprets and applies downloadable ACLs, see the configuration guide for your PIXFirewall.

	Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
	ACLs with RADIUS
Sample Configuration Guide for Cisco Secure ACS and PIX Firewall Preface Overview Outbound RADIUS AAA ACLs with RADIUS PIX Firewall Command Authorization Inbound RADIUS AAA with Remote Cisco Secure ACS Administration Index	Download this chapter ACLs with RADIUS Table Of Contents ACLs with RADIUS Example Network RADIUS Specification of Local ACLs About RADIUS Specification of Local ACLs PIX Firewall RADIUS Specification of Local ACLs Cisco Secure ACS RADIUS Specification of Local ACLs RADIUS ACLs using the Cisco AV Pair About RADIUS ACLs using the Cisco AV Pair Cisco Secure ACS RADIUS ACLs using the Cisco AV Pair PIX Firewall RADIUS ACLs using the Cisco AV Pair RADIUS Downloadable ACLs About RADIUS Downloadable ACLs Cisco Secure ACS RADIUS Downloadable ACLs PIX Firewall RADIUS Downloadable ACLs for Outbound RADIUS ACLs with RADIUS This chapter describes three methods for creating access control lists (ACLs) and applying them to users depending upon RADIUS authorization. The introduction to each method explains of the merits and weaknesses of the method. Regardless of the method used, using CiscoSecure AccessControlServer (ACS) to apply ACLs to RADIUS-authenticated users enables you to tailor ACLs to specific users or to groups of users. For example, members of different departments, such as engineering and marketing, might require different access to the outside interface. In this chapter, the example given limits members of the engineering department to access servers on the 209.165.201.0 network but not to the Internet. The wide-open access to computers on the outside interface is thus limited by using ACLs that are specified by CiscoSecure ACS. This chapter contains the following topics: • Example Network • RADIUS Specification of Local ACLs • RADIUS ACLs using the Cisco AV Pair • RADIUS Downloadable ACLs Example Network As with the other chapters in this guide, Figure3-1 illustrates the network configuration used in this chapter. It is included in this chapter, too, for you convenience. Figure 3-1 Example Network RADIUS Specification of Local ACLs This section describes how to assign ACLs to users by specifying in CiscoSecure ACS a named ACL set that exists on the PIXFirewall. This section contains the following topics: • About RADIUS Specification of Local ACLs • PIXFirewall RADIUS Specification of Local ACLs • CiscoSecure ACS RADIUS Specification of Local ACLs About RADIUS Specification of Local ACLs Using RADIUS to assign named ACL sets to users whose sessions transit the PIXFirewall enables the AAA server to control which ACLs are assigned, it has two drawbacks that limit its use in a network with more than one PIXFirewall: 1. The named ACLs would have to be created on each PIXFirewall that uses the AAA server to assign the ACLs. Depending upon how complex your ACL scheme is and how many PIXFirewalls you have, this approach could become very cumbersome to maintain. 2. The names of the ACLs must be kept identical on all PIXFirewalls involved in the AAA scheme and on the AAA server itself. When you configure the AAA server, you might find it inconvenient to have to log in to the PIXFirewall to verify the names and content of the ACLs you want to assign to groups or users. If a PIXFirewall receives ACLs by other methods in addition to RADIUS specification of local ACLs, the PIXFirewall behaves as follows: 1. If ACLs are received in the Cisco AV pair, PIXFirewall uses the ACLs from the Cisco AV pair and ignores all others. 2. If ACLs are received by two or more other methods not including ACLs sent in the Cisco AV pair, PIXFirewall uses last ACLs received in the RADIUS packet. PIX Firewall RADIUS Specification of Local ACLs You can configure the PIXFirewall to apply locally defined ACLs based on the ACL set name provided in the RADIUS response from CiscoSecure ACS. This method of applying ACLs requires that you use the access-list command. In the example network, ACLs are to permit access from any system on the inside interface of the PIXFirewall to access the systems shown on the outside interface of the PIXFirewall. Assuming you wanted to give access to these servers to users belonging to the engineering department, you could name the ACL set eng . The name allows the RADIUS authorization message to refer to the ACL set by name. The following commands would create the eng ACL set: access-list eng permit ip any 209.165.201.2 255.255.255.255 access-list eng permit ip any 209.165.201.3 255.255.255.255 access-list eng permit ip any 209.165.201.4 255.255.255.255 access-list eng permit ip any 209.165.201.5 255.255.255.255 access-list eng deny ip any any access-list eng remark Permits access to outside servers for Engineering dept. When a user requests access from the inside interface to the outside interface of the PIXFirewall and CiscoSecure ACS authenticates the user and specifies the ACL set named eng , the PIXFirewall applies the eng ACL set to the user session. Cisco Secure ACS RADIUS Specification of Local ACLs In Group Setup, edit the group whose users are to be limited to the access granted by the ACL set created in PIXFirewall RADIUS Specification of Local ACLs. Before You Begin This procedure assumes that you have correctly assigned engineering department users to the group that you will use to specify the named ACL set. You can accomplish this by configuring each user profile either to specify the group explicitly or to rely on group mapping to assign the group correctly after external user authentication has occurred. For information about external user authentication and group mapping, see the applicable CiscoSecure ACS user guide. To specify a named ACL set for a CiscoSecure ACS group, follow these steps: Step1 Click Group Setup . Step2 From the Group list, select the group that you want to assign engineering department members to. Tip Select Rename Group , change the group name to Engineering , and click Submit . Later, you can find the group by its name rather than having to remember the number of the group you meant to assign engineers to. Step3 Select Edit Settings . The Group Settings page for the group selected appears. Step4 From the Jump To list, select RADIUS (IETF) . The browser scrolls to the IETF RADIUS Attributes table on the Group Settings page. Step5 Select the [011] Filter-Id check box. This specifies that CiscoSecure ACS should send RADIUS attribute number 11 in its response when it successfully authenticates a user with RADIUS. Step6 In the [011] Filter-Id box, type acl=eng . This defines what CiscoSecure ACS will send in the Filter-Id attribute. The PIXFirewall will recognize "acl=" and assign to the authenticated user the ACL set with a name that matches the text following "acl=". Step7 Click Submit + Restart . CiscoSecure ACS saves the group settings changes and begins including the IETF RADIUS Filter-Id attribute in authentication responses for users assigned to the group you modified. RADIUS ACLs using the Cisco AV Pair This section describes how to send ACLs from CiscoSecure ACS to the PIXFirewall for application to the user authenticated by RADIUS. This section contains the following topics: • About RADIUS ACLs using the Cisco AV Pair • CiscoSecure ACS RADIUS ACLs using the Cisco AV Pair • PIXFirewall RADIUS ACLs using the Cisco AV Pair About RADIUS ACLs using the Cisco AV Pair Sending ACLs using the Cisco AV pair uses unnamed ACLs and the AAA server sends the whole ACL set each time the user authenticates. Sending ACLs in the RADIUS response is more scalable than that presented in RADIUS Specification of Local ACLs; however, it has two drawbacks: 1. Each ACL set cannot be larger than 4096 characters and may be considerably more limited, depending upon the other RADIUS attributes in the response and their content. This is because RADIUS packets cannot exceed 4096 characters, per IETF RFCs for RADIUS. 2. If group management in CiscoSecure ACS becomes complex, you may have to create the same ACLs in multiple groups. While they would be centralized rather than scattered across multiple PIXFirewalls, the maintenance overhead could still be significant. If a PIXFirewall receives ACLs in the Cisco AV pair of a RADIUS access-accept packet, ACLs received by other methods in the same packet, such as downloadable ACLs and specification of local ACLs, are ignored. Cisco Secure ACS RADIUS ACLs using the Cisco AV Pair Using the Cisco RADIUS AV Pair to send ACLs consists of defining ACLs in the content of an outbound RADIUS vendor-specific attribute (VSA) for Cisco IOS/PIX RADIUS. The attribute that must be used is attribute 1. When enabled, this attribute appears in user or group settings as `[009\001] cisco-av-pair`. "009" refers to the vendor ID for Cisco IOS/PIX RADIUS. "001" refers to the VSA number. When CiscoSecure ACS successfully authenticates a user whose user or group profile has this attribute enabled, CiscoSecure ACS sends the attribute in its response to the PIXFirewall, provided that AAA client entry for the PIXFirewall specifies RADIUS (Cisco IOS/PIX) in its Authenticate Using list. Before You Begin This procedure assumes that you have correctly assigned engineering department users to the group that you will use to specify the named ACL. You can accomplish this by configuring each user profile either to specify the group explicitly or to rely on group mapping to assign the group correctly after external user authentication has occurred. For information about external user authentication and group mapping, see the applicable CiscoSecure ACS user guide. To configure the Cisco RADIUS AV Pair to send ACLs, follow these steps: Step1 Click Group Setup . Step2 From the Group list, select the group that you want to assign engineering department members to. Tip Select Rename Group , change the group name to Engineering , and click Submit . Later, you can find the group by its name rather than having to remember the number of the group you meant to assign engineers to. Step3 Select Edit Settings . The Group Settings page for the group selected appears. Step4 From the Jump To list, select RADIUS (Cisco IOS/PIX) . The browser scrolls to the Cisco IOS/PIX RADIUS Attributes table on the Group Settings page. Step5 Select the [009\001] cisco-av-pair check box. This specifies that CiscoSecure ACS should send the Cisco RADIUS VSA number 1 in its response when it successfully authenticates a user with RADIUS. Step6 In the [009\001] cisco-av-pair box, type the following: ip:inacl#100=permit ip any 209.165.201.2 255.255.255.255 ip:inacl#200=permit ip any 209.165.201.3 255.255.255.255 ip:inacl#300=permit ip any 209.165.201.4 255.255.255.255 ip:inacl#400=permit ip any 209.165.201.5 255.255.255.255 ip:inacl#500=deny ip any any Tip In this sample code, incrementing the ACL line number by 100 allows for future addition of other ACLs without forcing you to renumber the existing lines. This defines what CiscoSecure ACS will send in the cisco-av-pair VSA. The PIXFirewall will recognize the ACLs and assign them to the authenticated user. Step7 Click Submit + Restart . CiscoSecure ACS saves the group settings changes and begins including the RADIUS cisco-av-pair VSA in Cisco IOS/PIX RADIUS authentication responses for users assigned to the group you modified. PIX Firewall RADIUS ACLs using the Cisco AV Pair Aside from enabling RADIUS authentication, as shown in PIXFirewall Configuration for Outbound RADIUS Authentication, this means of deploying centralized ACLs requires no further configuration on the PIXFirewall. Provided that RADIUS authentication is configured correctly on the PIXFirewall and that the ACLs defined in the cisco-av-pair VSA are formatted correctly, the PIXFirewall applies them automatically. For information about how PIXFirewall interprets and applies ACLs sent in the cisco-av-pair VSA, see the configuration guide for your PIXFirewall. RADIUS Downloadable ACLs This section describes how to use the Downloadable IP ACL feature in CiscoSecure ACS to assign ACLs to a RADIUS-authenticated PIXFirewall user. This section contains the following topics: • About RADIUS Downloadable ACLs • CiscoSecure ACS RADIUS Downloadable ACLs • PIXFirewall RADIUS Downloadable ACLs for Outbound RADIUS About RADIUS Downloadable ACLs Downloadable ACLs is the most scalable means of using CiscoSecure ACS to provide the appropriate ACLs for each user. It provides the following: •Unlimited ACL size —Downloadable ACLs are sent using as many RADIUS packets as required to transport the full ACL set from CiscoSecure ACS to the PIXFirewall. •Centralized control of ACLs on the AAA server. •Simplified management of ACLs on the AAA server —Downloadable ACLs enable you to write a set of ACLs once and apply it to many user or group profiles. This approach is most useful when you have very large ACL sets that you want to apply to more than one CiscoSecure ACS user or group; however, its ability to simplify CiscoSecure ACS user and group management makes it useful for ACL sets of any size. If a PIXFirewall receives ACLs by other methods in addition to RADIUS specification of local ACLs, the PIXFirewall behaves as follows: 1. If ACLs are received in the Cisco AV pair, PIXFirewall uses the ACLs from the Cisco AV pair and ignores all others. 2. If ACLs are received by two or more other methods not including ACLs sent in the Cisco AV pair, PIXFirewall uses last ACLs received in the RADIUS packet. Cisco Secure ACS RADIUS Downloadable ACLs Configuring downloadable ACLs in CiscoSecure ACS consists of creating the set and applying the set to the appropriate group profile. Note This section assumes that you have correctly assigned engineering department users to the group that you will use to specify the named ACL. You can accomplish this by configuring each user profile either to specify the group explicitly or to rely on group mapping to assign the group correctly after external user authentication has occurred. For information about external user authentication and group mapping, see the applicable CiscoSecure ACS user guide. This section contains the following topics: • Creating the Downloadable ACL Set • Applying the Downloadable ACL Set to a Group Creating the Downloadable ACL Set CiscoSecure ACS provides downloadable ACL sets as a means of configuring sets of ACLs that can be applied to many user or group profiles. For this example, the ACLs required to limit access for engineering department members are given. You can add or remove ACLs from a downloadable ACL set as needed. To create the downloadable ACL set, follow these steps: Step1 Make sure the downloadable IP ACL feature is enabled. To do so, follow these steps: a. Click Interface Configuration and then click Advanced Options . b. Select the Group-Level Downloadable ACLs check box. c. Click Submit . Where applicable, the CiscoSecure ACS HTML interface displays features related to downloadable IP ACLs. Step2 Click Shared Profile Components click Downloadable IP ACLs , and then click Add . The page for adding a downloadable ACL set appears. Step3 In the Name box, type Outside Svrs. Allowed . Step4 In the Description box, type Permits access only to our servers outside the PIX . Step5 In the ACL Definitions box, type the following: permit ip any 209.165.201.2 255.255.255.255 permit ip any 209.165.201.3 255.255.255.255 permit ip any 209.165.201.4 255.255.255.255 permit ip any 209.165.201.5 255.255.255.255 deny ip any any Step6 Click Submit . CiscoSecure ACS saves the downloadable ACL set. You can apply it by name to group or user profiles. Applying the Downloadable ACL Set to a Group After you have created the downloadable ACL set in Creating the Downloadable ACL Set, you must associate it with the group that contains the members of the engineering department. This procedure provides the steps to do so. To apply the shell command authorization set, follow these steps: Step1 Click Group Setup . Step2 From the Group list, select the group that you want to assign engineering department members to. Tip Select Rename Group , change the group name to Engineering , and click Submit . Later, you can find the group by its name rather than having to remember the number of the group you meant to assign engineers to. Step3 Select Edit Settings . The Group Settings page for the group selected appears. Step4 From the Jump To list, select Downloadable ACLs . The browser scrolls to the Downloadable ACLs table on the Group Settings page. Step5 In the Downloadable ACLs table, select the Assign IP ACL check box. Step6 From the Assign IP ACL list, select Outside Svrs. Allowed . CiscoSecure ACS will use the downloadable ACL set named "Outside Svrs. Allowed" to send ACLs to the PIXFirewall when members of the Engineering group authenticate. You created the Outside Svrs. Allowed set in Creating the Downloadable ACL Set. Step7 Select Submit + Restart . CiscoSecure ACS saves the group settings, restarts services, and begins enforcing the group settings. PIX Firewall RADIUS Downloadable ACLs for Outbound RADIUS Aside from enabling RADIUS authentication, as shown in PIXFirewall Configuration for Outbound RADIUS Authentication, downloadable ACLs requires no further configuration on the PIXFirewall. Provided that RADIUS authentication is configured correctly on the PIXFirewall, the PIXFirewall applies them automatically. For information about how PIXFirewall interprets and applies downloadable ACLs, see the configuration guide for your PIXFirewall.
	© 1992-2008 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.