8-14
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 8 Configuring AAA Rules for Network Access
Configuring Authorization for Network Access
Configuring a RADIUS Server to Send Downloadable Access Control Lists
This section describes how to configure Cisco Secure ACS or a third-party RADIUS server and includes
the following topics:
• About the Downloadable ACL Feature and Cisco Secure ACS, page 8-14
• Configuring Cisco Secure ACS for Downloadable ACLs, page 8-15
• Configuring Any RADIUS Server for Downloadable ACLs, page 8-16
• Converting Wildcard Netmask Expressions in Downloadable ACLs, page 8-17
About the Downloadable ACL Feature and Cisco Secure ACS
Downloadable ACLs is the most scalable means of using Cisco Secure ACS to provide the appropriate
ACLs for each user. It provides the following capabilities:
• Unlimited ACL size—Downloadable ACLs are sent using as many RADIUS packets as required to
transport the full ACL from Cisco Secure ACS to the ASA.
• Simplified and centralized management of ACLs—Downloadable ACLs enable you to write a set of
ACLs once and apply it to many user or group profiles and distribute it to many ASAs.
This approach is most useful when you have very large ACL sets that you want to apply to more than
one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and group
management makes it useful for ACLs of any size.
The ASA receives downloadable ACLs from Cisco Secure ACS using the following process:
1. The ASA sends a RADIUS authentication request packet for the user session.
2. If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS
access-accept message that includes the internal name of the applicable downloadable ACL. The
Cisco IOS cisco-av-pair RADIUS VSA (vendor 9, attribute 1) includes the following attribute-value
pair to identify the downloadable ACL set:
ACS:CiscoSecure-Defined-ACL=acl-set-name
where acl-set-name is the internal name of the downloadable ACL, which is a combination of the
name assigned to the ACL by the Cisco Secure ACS administrator and the date and time that the
ACL was last modified.
3. The ASA examines the name of the downloadable ACL and determines if it has previously received
the named downloadable ACL.
–
If the ASA has previously received the named downloadable ACL, communication with Cisco
Secure ACS is complete and the ASA applies the ACL to the user session. Because the name of
the downloadable ACL includes the date and time that it was last modified, matching the name
sent by Cisco Secure ACS to the name of an ACL previously downloaded means that the ASA
has the most recent version of the downloadable ACL.
–
If the ASA has not previously received the named downloadable ACL, it may have an
out-of-date version of the ACL or it may not have downloaded any version of the ACL. In either
case, the ASA issues a RADIUS authentication request using the downloadable ACL name as
the username in the RADIUS request and a null password attribute. In a cisco-av-pair RADIUS
VSA, the request also includes the following attribute-value pairs:
AAA:service=ip-admission
AAA:event=acl-download
In addition, the ASA signs the request with the Message-Authenticator attribute (IETF RADIUS
attribute 80).