RE: downloadable ACLs

The config guide says:

"You can configure a RADIUS server to download an access list to the
security appliance or an access list

name at the time of authentication. The user is authorized to do only
what is permitted in the

user-specific access list."

That implies the per-user-override is required. It is the only way I
have ever configured downloadable access lists.

Fred Reimer, CCIE 23812, CISSP 107125

Senior Systems Architect

Coleman Technologies, Inc.

3250 W. Commercial Blvd., Suite 360

Oakland Park, FL 33309

Office: 407-481-8600 x1307

eFAX: 407-284-6681

Cell: 954-298-1697

From: Jason Morris [mailto:mcnever_at_gmail.com]
Sent: Tuesday, April 07, 2009 10:05 AM
To: Fred Reimer
Cc: ccielab_at_groupstudy.com
Subject: Re: downloadable ACLs

Mike,
Yes i can see the downloaded ACL when i do a 'show access-list'. I do
have the access-group applied and i am not using the 'per-user-override'
keyword, as so 'access-group acl_in in interface inside'.

Fred,
I'm not sure what you mean by 'Override, not supplement.'. its my
understanding that I do not want override. The documentation I've seen
says that the 'override' tells the ASA to ignore the ACL on the
interface.

Thanks
Jason

On Tue, Apr 7, 2009 at 9:55 AM, Fred Reimer <freimer_at_ctiusa.com> wrote:

Override, not supplement.

Fred Reimer, CCIE 23812, CISSP 107125
Senior Systems Architect
Coleman Technologies, Inc.
3250 W. Commercial Blvd., Suite 360
Oakland Park, FL 33309
Office: 407-481-8600 x1307
eFAX: 407-284-6681
Cell: 954-298-1697

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Jason Morris
Sent: Tuesday, April 07, 2009 9:45 AM
To: ccielab_at_groupstudy.com
Subject: downloadable ACLs

I'm having some issues with a downloadable ACL on an ASA and ACS4.2.

I have the authentication on the ASA configed and the ACL gets pushed
down
just fine. I want the ASA to process the downloaded ACL for the user
and
then process the ACL on the in coming interface. Seems simple enough,
as i
understand it thats the default operation.

This is what i'm currently seeing. I have a host on the inside of the
ASA
which, before authenticating can ping a host on the outside of the ASA.
I
see counters on the interface ACL increment when he pings, i get a
response,
everything is peachy. Once that user authenticates I can pass all the
traffic permitted in the downloadable ACL and I still see the counters
in
the interface ACL increment but I dont get a responce from the traffic
that
passes on the interface ACL.

Anyone familiar with this?

Thanks
Jason

Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 07 2009 - 11:36:35 ART