5-3
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 5 Setting Up and Managing Shared Profile Components
Downloadable PIX ACLs
The ACL definitions that you enter into Cisco Secure ACS consist of one or more
PIX ACL commands, with each command on a separate line. Using standard
RADIUS Cisco AV-pairs permits you to enter a maximum of 4 kilobytes of ACLs;
whereas, downloadable PIX ACLs can be of unlimited size. In entering the ACL
definitions in the ACS HTML interface, do not use keyword and name entries; in
all other respects, use standard PIX ACL command syntax and semantics. An
example of the format you should use to enter ACL Definitions follows:
permit tcp any host 11.0.0.254
permit udp any host 11.0.0.254
permit icmp any host 11.0.0.254
permit tcp any host 11.0.0.253
See the “Command Reference” section of your PIX Firewall configuration guide
for detailed ACL definition information.
ACLs entered into the Cisco Secure ACS are protected by whatever backup or
replication regime you have established for the Cisco Secure ACS. After you
configure an ACL as a named shared profile component, you can include that ACL
in any Cisco Secure ACS user, or user group, profile. When Cisco Secure ACS
returns an attribute with a named ACL as part of a user session RADIUS access
accept packet, the PIX Firewall applies that ACL to the session of that user.
Cisco Secure ACS uses a versioning stamp to ensure that the PIX Firewall has
cached the latest ACL version. If a PIX Firewall responds that it does not have the
current version of the named ACL in its cache (that is, the ACL is new or has
changed), Cisco Secure ACS uploads the ACL update to the PIX Firewall cache.
After you configure a downloadable PIX ACL, it can be applied against any
number of single users or user groups.