Specifications
Setting Access Rights 421
Chapter 20
Creating Session ACLs and Roles
Creating A Session ACL for Logon
A session ACL must first be created for the Logon role. That ACL will contain
filters that control the user’s access during the logon process, before the user
is authenticated.
Session ACLs are created or modified using the ip access-list session
command. See “Access Control List Commands” on page 835.
Predefined ACLs
A predefined session ACL named control, the predefined filters for the default
control ACL are shown below:
z svc-icmp
z svc-dns
z svc-dhcp
z svc-papi
z svc-tftp
z svc-bootp
If a WINS server is configured then the following filter should be added to the
control ACL:
z svc-nbns
Another predefined ACL named captive portal allows only that traffic
necessary for captive portal authentication. The filters associated with this
ACL are:
z scv-http dst-nat 8080
z svc-https
z svc-https dest-nat 8081
A separate ACL(s) should be created for use after the user has been
authenticated and assigned a role.
Creating Session ACLs For Users
Access rights for successfully authenticated users are granted by creating
session ACLs that are assigned to a user subsequent to authentication.
After a Session ACL has been created it must be assigned to a role(s) using
the user-role command. See “Role Sub-Mode” on page 819.