Filter
Top Products
23-15
Cisco ASDM User Guide
OL-16647-01
Chapter 23 Applying AAA for Network Access
Configuring Accounting for Network Access
Converting Wildcard Netmask Expressions in Downloadable Access Lists
If a RADIUS server provides downloadable access lists to Cisco VPN 3000 series concentrators as well
as to the security appliance, you may need the security appliance to convert wildcard netmask
expressions to standard netmask expressions. This is because Cisco VPN 3000 series concentrators
support wildcard netmask expressions but the security appliance only supports standard netmask
expressions. Configuring the security appliance to convert wildcard netmask expressions helps minimize
the effects of these differences upon how you configure downloadable access lists on your RADIUS
servers. Translation of wildcard netmask expressions means that downloadable access lists written for
Cisco VPN 3000 series concentrators can be used by the security appliance without altering the
configuration of the downloadable access lists on the RADIUS server.
You configure access list netmask conversion on a per-server basis when you add a server to a server
group, on the Configuration > Device Management > Users/AAA > AAA Server Groups > AAA Server
Groups area. See the “Adding a Server to a Group” section on page 14-10.
Configuring a RADIUS Server to Download Per-User Access Control List Names
To download a name for an access list that you already created on the security appliance (at the CLI)
from the RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute
(attribute number 11) as follows:
filter-id=
acl_name
Note In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface,
omitting filter-id= and entering only acl_name.
For information about making unique per user the filter-id attribute value, see the documentation for your
RADIUS server.
See the Cisco Security Appliance Command Line Configuration Guide to create an access list on the
security appliance.
Configuring Accounting for Network Access
The security appliance can send accounting information to a RADIUS or TACACS+ server about any
TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then
the AAA server can maintain accounting information by username. If the traffic is not authenticated, the
AAA server can maintain accounting information by IP address. Accounting information includes when
sessions start and stop, username, the number of bytes that pass through the security appliance for the
session, the service used, and the duration of each session.
To configure accounting, perform the following steps:
Step 1 If you want the security appliance to provide accounting data per user, you must enable authentication.
For more information, see the “Configuring Network Access Authentication” section on page 23-4. If
you want the security appliance to provide accounting data per IP address, enabling authentication is not
necessary and you can continue to the next step.
Step 2 From the Configuration > Firewall > AAA Rules pane, choose Add > Add Accounting Rule.
The Add Accounting Rule dialog box appears.