Cisco 3.3 User Manual
Page 163
5-9
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 5 Shared Profile Components
Downloadable IP ACLs
ACL to each applicable user or user group by referencing its name. This is more
efficient than configuring the RADIUS Cisco cisco-av-pair attribute for each user
or user group.
Further, by employing NAFs you can apply different ACL contents to the same
user or group of users according to the AAA client they are using. No additional
configuration of the AAA client is necessary after you have configured the AAA
client to use downloadable IP ACLs from Cisco Secure ACS. Downloadable
ACLs are protected by the backup or replication regimen you have established.
While entering the ACL definitions in the Cisco Secure ACS HTML interface, do
not use keyword and name entries; in all other respects, use standard ACL
command syntax and semantics for the AAA client on which you intend to apply
the downloadable IP ACL. The ACL definitions that you enter into Cisco Secure
ACS consist of one or more ACL commands. Each ACL command must be on a
separate line.
You can add one or more named ACL contents to a downloadable IP ACL. By
default each ACL content applies to all AAA clients; however, if you have defined
NAFs, you can limit the applicability of each ACL content to the AAA clients
listed in the NAF you associate to it. That is, by employing NAFs you can make
each ACL content, within a single downloadable IP ACL, applicable to multiple
different network devices or network device groups in accordance with your
network security strategy. For more information on NAFs, see
.
Also, you can change the order of the ACL contents listed within a downloadable
IP ACL. Cisco Secure ACS examines ACL contents starting from the top of the
table and downloads the first ACL content it finds with a NAF that includes the
AAA client that is being used. In setting the order you should seek to ensure
system efficiency by arranging the most widely applicable ACL contents higher
on the list; but also realize that if your NAFs include overlapping populations of
AAA clients you must proceed from the more specific to the more general. For
example, Cisco Secure ACS will download any ACL contents with the
“All-AAA-Clients” NAF setting and not consider any that are lower on the list.
To use a downloadable IP ACL on a particular AAA client, the following
requirements must be met:
•
The AAA client must use RADIUS for authentication.
•
The AAA client must support downloadable IP ACLs.