Cisco Systems ASA 5525-X Network Router User Manual


  Open as PDF
of 2086
 
38-5
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 38 Configuring AAA Servers and the Local Database
Information About AAA
A list of attributes is available at the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1
605508
RADIUS Authorization Functions
The ASA can use RADIUS servers for user authorization of VPN remote access and firewall
cut-through-proxy sessions using dynamic access lists or access list names per user. To implement
dynamic access lists, you must configure the RADIUS server to support it. When the user authenticates,
the RADIUS server sends a downloadable access list or access list name to the ASA. Access to a given
service is either permitted or denied by the access list. The ASA deletes the access list when the
authentication session expires.
In addtition to access lists, the ASA supports many other attributes for authorization and setting of
permissions for VPN remote access and firewall cut-through proxy sessions. For a complete list of
authorization attributes, see the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp16055
08
TACACS+ Server Support
The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
RSA/SDI Server Support
The RSA SecureID servers are also known as SDI servers.
This section includes the following topics:
RSA/SDI Version Support, page 38-5
Two-step Authentication Process, page 38-5
RSA/SDI Primary and Replica Servers, page 38-6
RSA/SDI Version Support
The ASA supports SDI Versions 5.x, 6.x, and 7.x. SDI uses the concepts of an SDI primary and SDI
replica servers. Each primary and its replicas share a single node secret file. The node secret file has its
name based on the hexadecimal value of the ACE or Server IP address, with .sdi appended.
A version 5.x, 6.x, or 7.x SDI server that you configure on the ASA can be either the primary or any one
of the replicas. See the “RSA/SDI Primary and Replica Servers” section on page 38-6 for information
about how the SDI agent selects servers to authenticate users.
Two-step Authentication Process
SDI Versions 5.x, 6.x, or 7.x use a two-step process to prevent an intruder from capturing information
from an RSA SecurID authentication request and using it to authenticate to another server. The agent
first sends a lock request to the SecurID server before sending the user authentication request. The server