Downloadable ACLs

The PIX Security Appliance Software has the ability to store ACLs on a AAA server, and download them to the PIX as a user is authenticated. The PIX will permit or deny the user access based on the authentication of the user’s credentials and the downloaded ACL. A user is authorized to do only what is permitted in the user’s individual or group ACL entries. Only authentication needs to be configured on the PIX, and an ACL attached to the user, or group, profile on the AAA server. The PIX supports per-user or per-group ACL authorization.

Downloadable ACLs enable the administrator to enter an ACL once, in Cisco Secure ACS, and then load that ACL to any number of PIX Security Appliances. Downloadable ACLs work in conjunction with ACLs that are configured directly on the PIX and applied to its interfaces.

Neither type of ACL takes precedence over the other. In order to pass through the PIX Security Appliance, traffic must be permitted by both the interface ACL and the dynamic ACL if both are applicable. If either ACL denies the traffic, the traffic is prohibited.

Downloadable ACLs are applied to the interface from which the user is prompted to authenticate. They expire when the uauth timer expires and can be removed by entering the clear uauth command.

NOTE:

Downloadable ACLs are supported with RADIUS only. They are not supported with TACACS+.

The sequence of events shown in Figure takes place when named downloadable ACLs are configured and a user attempts to establish a connection through the PIX Security Appliance.

In the example shown in Figure , the PIX Security Appliance forwards the connection request to the web server. The downloaded ACL appears on the PIX as shown below. The ACL name is the name for the ACL as defined in the Shared Profile Component (SPC), and 3b5385f7 is a unique version identification.

access-list#ACSACL #-PIX-acs_ten_acl -3b5385f7 permit ftp any
host 172.26.26.50
access-list#ACSACL# -PIX-acs_ten_acl -3b5385f7 permit http any
host 172.26.26.50

Configuring Downloadable ACLs in Cisco Secure ACS
There are two methods of configuring downloadable ACLs on the AAA server. The first method, downloading named ACLs, is to configure the SPC to include both the ACL name and the actual ACL and then configure a user, or group, authentication profile to include the SPC. If a downloadable ACL is configured as a named SPC, that ACL can be applied to any number of Cisco Secure ACS user, or group, profiles. This method should be used when there are frequent requests for downloading a large ACL.

The second method is to configure on the AAA server a user authentication profile that includes the actual PIX ACL. In this case, the ACL is not identified by a name. Each ACL entry must be defined in the user profile. This method should be used when there are not frequent requests for the same ACL. For instructions on downloading ACLs without names, refer to the documentation on Cisco.com.

Resources

Resource: Configuring Downloadable ACLs on the CSACS

Resources

Resource: Assigning the ACL to the User on the CSACS