Configuring Called Downloadable Admission Lists
Named downloadable admission lists are aggregate contour apparatus aural Cisco
Secure ACS. Aggregate contour apparatus are reusable allotment definitions that
need to be created alone already and can be aggregate amid users and groups. In
other words, instead of accepting to charm a accustomed admission account every time you add a
new user, you can created the admission account already and again administer it to users as they
are added.This eases the authoritative accountability decidedly and increases the scalability
of the allotment controls.
www.syngress.com
276 Chapter 5 • Authentication, Authorization, and Accounting
You charge to complete two capital tasks to configure called downloadable
access lists aural Cisco Secure ACS:
1. Ascertain the called downloadable admission account aural the Aggregate Profile
Components area of Cisco Secure ACS.
2. Administer the called downloadable admission account to the adapted users
within the User Setup area of Cisco Secure ACS.
To ascertain a called downloadable admission list, bang the Aggregate Profile
Components button on the larboard ancillary of the Cisco Secure ACS HTML interface,
as apparent in Amount 5.41.
Click Downloadable PIX ACLs in the Aggregate Contour Components
window, as apparent in Amount 5.42.
Within the Downloadable PIX ACLs window, bang the Add button to
define a new downloadable access-list, as apparent in Amount 5.43.
The Downloadable PIX ACLs Adapt window, apparent in Amount 5.44, allows you
to ascertain a new downloadable admission list. Admission a name for the admission account in the
Name argument box and an alternative description in the Description argument box. In the
ACL Definitions argument box, admission the entries for the admission list. Create an entry
using the syntax of the access-list command, abbreviating both the access-list keyword
and the name of the admission list.
www.syngress.com
Figure 5.41 Cisco Secure ACS Capital Interface User Setup
Authentication, Authorization, and Accounting • Chapter 5 277
Figure 5.44 shows an example.When you accomplishment creating the admission list
entries, bang the Submit button.
www.syngress.com
Figure 5.42 The Cisco Secure ACS Aggregate Contour Apparatus Window
Figure 5.43 The Cisco Secure ACS Downloadable PIX ACLs Window
278 Chapter 5 • Authentication, Authorization, and Accounting
Now that you accept authentic the called admission list, it is accessible for you to
assign to users. Bang the User Setup button on the larboard ancillary of the Cisco Secure
ACS HTML interface and baddest a user that you appetite to adapt (or add a new user
as apparent ahead in the area “Adding a New User to Cisco Secure ACS”).
Scroll bottomward aural the User Setup window until you see the Downloadable
ACLs section, as apparent in Amount 5.45. Baddest the Accredit PIX ACL analysis box,
and baddest the adapted called admission account from the agnate drop-down
list. Bang the Submit button to accredit the admission account to the user.
NOTE
If you do not see the Downloadable ACLs section, you charge to enable
this advantage by beat the Interface Agreement button from the
Cisco Secure ACS capital screen, beat Advanced Options, then
selecting the User-Level Downloadable ACLS and Group-Level
Downloadable ACLS analysis boxes.
www.syngress.com
Figure 5.44 The Cisco Secure ACS Adapt Downloadable ACLs Window
Authentication, Authorization, and Accounting • Chapter 5 279
You do not accept to configure annihilation on the PIX firewall to complete the
downloadable admission account configuration.When a user authenticates to the PIX firewall,
the admission account will be downloaded with a name that has the afterward format:
#ACSACL#-
In this syntax, acl_name is the name that you gave the admission account aural Cisco
Secure ACS, and version_id is a different ID assigned to the admission list. Amount 5.46
provides an archetype of what the downloadable admission account looks like on the PIX
firewall.Within the figure, the aboriginal appearance access-list command was issued afore user
authentication, and the additional appearance access-list command was issued afterwards user
authentication. As you can see, no admission lists were authentic afore user authentication,
but there is a downloadable admission account authentic afterwards authentication, and it
has a name that complies with the architecture articular previously.
Figure 5.46 Called Downloadable Admission List: PIX Firewall View
PIX1(config)# appearance access-list
PIX1(config)# appearance access-list
access-list #ACSACL#-PIX-sample-pix_acls-3d7fe64e; 5 elements
access-list #ACSACL#-PIX-sample-pix_acls-3d7fe64e abjure tcp any host
206.65.190.2 eq www (hitcnt=0)
www.syngress.com
Figure 5.45 Cisco Secure ACS: Assigning Downloadable ACL
Continued
280 Chapter 5 • Authentication, Authorization, and Accounting
access-list #ACSACL#-PIX-sample-pix_acls-3d7fe64e abjure tcp any host
207.46.197.102 eq www (hitcnt=0)
access-list #ACSACL#-PIX-sample-pix_acls-3d7fe64e abjure tcp any host
192.168.1.2 any eq ftp (hitcnt=0)
access-list #ACSACL#-PIX-sample-pix_acls-3d7fe64e abjure ip host
192.168.1.3 any (hitcnt=0)
access-list #ACSACL#-PIX-sample-pix_acls-3d7fe64e admittance ip any any
(hitcnt=2)