Configuring Downloadable Admission Lists

Configuring Downloadable Admission Lists

If you charge to admission users or groups of users altered privileges with account to

services (FTP or HTTP) and hosts that they can admission through the firewall, the

PIX firewall provides the adeptness to ascertain per-user admission lists back acclimated with an

AAA server. Unlike beforehand versions of the PIX firewall, adaptation 6.2 does not

require you to accomplish any agreement on the PIX firewall itself to implement

this adequacy (assuming that RADIUS affidavit and allotment are

already configured).You charge alone to ascertain the adapted access-list aural the

user contour on the Cisco Secure ACS server, and the admission account is downloaded to

the PIX firewall during user authentication.This simplifies the agreement and

improves scalability.There are two options for implementing per-user admission lists

on the Cisco Secure ACS server:

 Called downloadable admission lists The PIX firewall downloads a

named admission account already and can reclaim it if you accept assigned it to other

users.You should use called admission lists if you accept assorted users that

share an admission account or if you accept a ample admission account that is assigned to

more than one user.

 Bearding downloadable admission lists The PIX firewall downloads an

unnamed admission account for anniversary user to which you assigned one.These

access lists are not aggregate and are downloaded anniversary time a user is

authenticated.You should use an bearding admission account if a altered access

list is authentic for every user.

NOTE

Downloadable ACLs are accurate alone with RADIUS, not TACACS+.