The PIX Security Appliance Software has the ability to store ACLs on a AAA
server, and download them to the PIX as a user is authenticated. The PIX will
permit or deny the user access based on the authentication of the user’s
credentials and the downloaded ACL. A user is authorized to do only what is
permitted in the user’s individual or group ACL entries. Only authentication
needs to be configured on the PIX, and an ACL attached to the user, or group,
profile on the AAA server. The PIX supports per-user or per-group ACL
authorization.
Downloadable ACLs enable the administrator to enter an ACL once, in Cisco
Secure ACS, and then load that ACL to any number of PIX Security Appliances.
Downloadable ACLs work in conjunction with ACLs that are configured directly on
the PIX and applied to its interfaces.
Neither type of ACL takes
precedence over the other. In order to pass through the PIX Security Appliance,
traffic must be permitted by both the interface ACL and the dynamic ACL if both
are applicable. If either ACL denies the traffic, the traffic is
prohibited.
Downloadable ACLs are applied to the interface from which the
user is prompted to authenticate. They expire when the uauth timer expires and
can be removed by entering the clear uauth command.
 |
NOTE:
Downloadable ACLs are supported with RADIUS only. They are not
supported with TACACS+.
|
The sequence of events shown in Figure
takes place when
named downloadable ACLs are configured and a user attempts to establish a
connection through the PIX Security Appliance.
In the example shown in
Figure
, the PIX
Security Appliance forwards the connection request to the web server. The
downloaded ACL appears on the PIX as shown below. The ACL name is the name for
the ACL as defined in the Shared Profile Component (SPC), and 3b5385f7 is a
unique version identification.
access-list#ACSACL
#-PIX-acs_ten_acl -3b5385f7 permit ftp any
host
172.26.26.50
access-list#ACSACL# -PIX-acs_ten_acl -3b5385f7
permit http any
host 172.26.26.50
Configuring Downloadable ACLs in Cisco Secure ACS
There are two
methods of configuring downloadable ACLs on the AAA server. The first method,
downloading named ACLs, is to configure the SPC to include both the ACL name
and the actual ACL and then configure a user, or group, authentication profile
to include the SPC. If a downloadable ACL is configured as a named SPC, that
ACL can be applied to any number of Cisco Secure ACS user, or group, profiles.
This method should be used when there are frequent requests for downloading a
large ACL.
The second method is to configure on the AAA server a user
authentication profile that includes the actual PIX ACL. In this case, the ACL
is not identified by a name. Each ACL entry must be defined in the user
profile. This method should be used when there are not frequent requests for
the same ACL. For instructions on downloading ACLs without names, refer to the
documentation on Cisco.com.