41-13
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 41 Configuring AAA Rules for Network Access
Configuring Authorization for Network Access
In addition, the ASA signs the request with the Message-Authenticator attribute (IETF RADIUS
attribute 80).
4. After receipt of a RADIUS authentication request that has a username attribute that includes the
name of a downloadable access list, Cisco Secure ACS authenticates the request by checking the
Message-Authenticator attribute. If the Message-Authenticator attribute is missing or incorrect,
Cisco Secure ACS ignores the request. The presence of the Message-Authenticator attribute
prevents malicious use of a downloadable access list name to gain unauthorized network access. The
Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions,
available at http://www.ietf.org.
5. If the access list required is less than approximately 4 KB in length, Cisco Secure ACS responds
with an access-accept message that includes the access list. The largest access list that can fit in a
single access-accept message is slightly less than 4 KB, because part of the message must be other
required attributes.
Cisco Secure ACS sends the downloadable access list in a cisco-av-pair RADIUS VSA. The access
list is formatted as a series of attribute-value pairs that each include an ACE and are numbered
serially:
ip:inacl#1=ACE-1
ip:inacl#2=ACE-2
.
.
.
ip:inacl#n=ACE-n
The following example is of an attribute-value pair:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
6. If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds
with an access-challenge message that includes a portion of the access list, formatted as described
previously, and a State attribute (IETF RADIUS attribute 24), which includes control data used by
Cisco Secure ACS to track the progress of the download. Cisco Secure ACS fits as many complete
attribute-value pairs into the cisco-av-pair RADIUS VSA as it can without exceeding the maximum
RADIUS message size.
The ASA stores the portion of the access list received and responds with another access-request
message that includes the same attributes as the first request for the downloadable access list, plus
a copy of the State attribute received in the access-challenge message.
This process repeats until Cisco Secure ACS sends the last of the access list in an access-accept
message.
Configuring Cisco Secure ACS for Downloadable Access Lists
You can configure downloadable access lists on Cisco Secure ACS as a shared profile component and
then assign the access list to a group or to an individual user.
The access list definition consists of one or more ASA commands that are similar to the extended
access-list command (see command reference), except without the following prefix:
access-list acl_name extended
The following example is a downloadable access list definition on Cisco Secure ACS version 3.3:
+--------------------------------------------+
| Shared profile Components |
| |
| Downloadable IP ACLs Content |