The PIX and CSACS support the capability to use downloadable ACLs, allowing you to create ACLs that are downloaded for a specific user or groups of users. The ACL can be downloaded during the authentication phase of a RADIUS connection, but TACACS+ does not support this feature. There are two types of downloadable access lists; named and unnamed.
Named ACL gives you the ability to name an ACL that is downloaded once to the PIX and shared between many users. If a newer ACL is on the server, the newer version is downloaded and shared among the users assigned to the named ACL. Named ACLs work best for several users who all need the same ACL control and when several PIX access servers need that same ACL list.
The following is an example of a downloaded named ACL:
pixfirewall(config)# show access-list access-list #ACSACL#-PIX-MySharedACL-3ef2957b; 3 elements access-list #ACSACL#-PIX-MySharedACL-3ef2957b deny tcp any host 10.0.0.2 eq ftp (hitcnt=0) access-list #ACSACL#-PIX-MySharedACL-3ef2957b deny tcp any host 10.0.0.3 eq www (hitcnt=0) access-list #ACSACL#-PIX-MySharedACL-3ef2957b deny tcp any host 10.0.0.4 eq telnet (hitcnt=0)
The name of the list in the previous example is MySharedACL , and this list will be shared for all users who have been assigned the MySharedACL on the CSACS. The two tasks to configure named downloadable ACL within CSACS should be included here:
Unnamed ACLs are used to specify ACLs for individual users. The list created is used only by a single user, as opposed to a named ACL, which is shared. These lists are recommended only if each user requires an individual list.
An example of a downloaded unnamed ACL is shown here:
pixfirewall(config)# show access-list access-list AAA-user-daniel; 1 elements access-list AAA-user-daniel deny tcp any any eq www (hitcnt=0)
In the previous unnamed ACL example, an ACL is downloaded for a user named daniel and is used only by daniel .