Cisco Catalyst 6500 Series Configuration Manual page 246
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Configuring Authorization for Network Access
The acl_name argument is the name that is defined on the RADIUS server, and number is a unique
version ID.
The downloaded ACL on the FWSM consists of the following lines:
access-list #ACSACL#-ip-fwsm-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.254
access-list #ACSACL#-ip-fwsm-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.254
access-list #ACSACL#-ip-fwsm-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.254
access-list #ACSACL#-ip-fwsm-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.253
access-list #ACSACL#-ip-fwsm-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.253
access-list #ACSACL#-ip-fwsm-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.253
access-list #ACSACL#-ip-fwsm-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.252
access-list #ACSACL#-ip-fwsm-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.252
access-list #ACSACL#-ip-fwsm-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.252
access-list #ACSACL#-ip-fwsm-acs_ten_acl-3b5385f7 permit ip any any
Configuring a Third-Party RADIUS Server for Downloadable ACLs
Configure the ACL using Cisco Vendor Specific Attribute (VSA) number 1 (cisco-AV-pair).
Configure one or more access control entries (ACEs) that are similar to the extended access-list
command (see the
replace the following command prefix:
access-list acl_name extended
with the following text:
ip:inacl# nnn =
The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command
statement to be configured on the FWSM. If this parameter is omitted, the sequence value is 0, and the
order in the RADIUS configuration is used.
The following example is an ACL definition before it is downloaded to the FWSM:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#99=deny tcp any any
ip:inacl#2=permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#100=deny udp any any
ip:inacl#3=permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
The downloaded ACL name has the following format:
AAA-user- username
The username argument is the name of the user that is being authenticated.
The downloaded ACL on the FWSM consists of the following lines. Notice the order based on the
numbers identified on the RADIUS server
access-list
access-list
access-list
access-list
access-list
Downloaded ACLs have two spaces between the word "access-list" and the name. These spaces serve to
differentiate a downloaded ACL from a local ACL.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
12-26
"Adding an Extended Access Control List" section on page
AAA-user-john permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
AAA-user-john permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
AAA-user-john permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
AAA-user-john deny tcp any any
AAA-user-john deny udp any any
Chapter 12
Configuring AAA
10-13), except that you
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Cisco Catalyst 6500 Series
Related Products for Cisco Catalyst 6500 Series
- Cisco 6503 - Catalyst Firewall Security Sys
- Cisco 6503-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6504-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6506 - Catalyst Chassis Switch
- Cisco 6513 - Catalyst Switch
- Cisco Catalyst 6509
- Cisco Catalyst 6513-E
- Cisco Catalyst 6500-E Series