# Cisco ACS



## rudation (Mar 17, 2012)

Hi,

I've got a little problem and I know you could help me. Recently I got a job, now I have to repair a mess with Downloadable ACLs used to control VPN access in a company. I can't check it in practice because i don't have enought access. Only access i've got is throught ACS to users and user groups, and configured dACLs. Now there's my problem. 

I need to know, if ACLs assigned on user-level override those assigned on group-level. For example:

John is in group VPN and for this group there is dACL called "VPN". John, also has dACL assigned on usel level called "John-VPN".

VPN:
permit ip any host 10.0.0.1

John-VPN
permit ip any host 10.0.0.2

Will user-level configuration override group-level configuration and will John have access *ONLY* to that what is allowed by dACL "John-VPN" and he will *NOT* have access to that what is allowed my dACL "VPN"? So will he have only access to 10.0.0.2 and no access to 10.0.0.1? Or maybe configuration is not overridden but user's dACL is checked first and then, if no result is found in it, group level dACL is checked?

please help me


----------



## Wand3r3r (Sep 17, 2010)

what IOS are you talking about? Cisco?


----------



## rudation (Mar 17, 2012)

It's Cisco. ACS is version 4.2. Honestly i don't know what IOS runs on device which controls authentication of users connecting throught VPN. In dump file which i got from ACS in the beginning, there is:
"
#DB dumped on CACS at 08:45 March 08 2012

*#DB version 10.0*

#SW version 4.2(0.124)

#Digest : 0x0000 
"

I can think that DB version can be version of IOS, but no idea. :-/


----------

