7-21
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Configuring AAA Rules for Network Access
Configuring Accounting for Network Access
Converting Wildcard Netmask Expressions in Downloadable ACLs
If a RADIUS server provides downloadable ACLs to Cisco VPN 3000 series concentrators as well as to
the ASA, you may need the ASA to convert wildcard netmask expressions to standard netmask
expressions. This is because Cisco VPN 3000 series concentrators support wildcard netmask
expressions, but the ASA only supports standard netmask expressions. Configuring the ASA to convert
wildcard netmask expressions helps minimize the effects of these differences on how you configure
downloadable ACLs on your RADIUS servers. Translation of wildcard netmask expressions means that
downloadable ACLs written for Cisco VPN 3000 series concentrators can be used by the ASA without
altering the configuration of the downloadable ACLs on the RADIUS server.
You configure ACL netmask conversion on a per-server basis using the acl-netmask-convert command,
available in the aaa-server configuration mode. For more information about configuring a RADIUS
server, see the general operations configuration guide. For more information about the
acl-netmask-convert command, see the command reference
Configuring a RADIUS Server to Download Per-User Access Control List Names
To download a name for an ACL that you already created on the ASA from the RADIUS server when a
user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11) as follows:
filter-id=acl_name
Note In Cisco Secure ACS, the values for filter-id attributes are specified in boxes in the HTML interface,
omitting filter-id= and entering only acl_name.
For information about making the filter-id attribute value unique per user, see the documentation for your
RADIUS server.
To create an ACL on the ASA, see the general operations configuration guide.
Configuring Accounting for Network Access
The ASA can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP
traffic that passes through the ASA. If that traffic is also authenticated, then the AAA server can maintain
accounting information by username. If the traffic is not authenticated, the AAA server can maintain
accounting information by IP address. Accounting information includes session start and stop times,
username, the number of bytes that pass through the ASA for the session, the service used, and the
duration of each session.