Cisco ASA 5505 Configuration Manual page 710

Configuring Authorization for Network Access
If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS
2.
access-accept message that contains the internal name of the applicable downloadable access list.
The Cisco IOS cisco-av-pair RADIUS VSA (vendor 9, attribute 1) contains the following
attribute-value pair to identify the downloadable access list set:
ACS:CiscoSecure-Defined-ACL=acl-set-name
where acl-set-name is the internal name of the downloadable access list, which is a combination of
the name assigned to the access list by the Cisco Secure ACS administrator and the date and time
that the access list was last modified.
The adaptive security appliance examines the name of the downloadable access list and determines
3.
if it has previously received the named downloadable access list.
4. Upon receipt of a RADIUS authentication request that has a username attribute containing the name
of a downloadable access list, Cisco Secure ACS authenticates the request by checking the
Message-Authenticator attribute. If the Message-Authenticator attribute is missing or incorrect,
Cisco Secure ACS ignores the request. The presence of the Message-Authenticator attribute
prevents malicious use of a downloadable access list name to gain unauthorized network access. The
Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions,
available at http://www.ietf.org.
5. If the access list required is less than approximately 4 KB in length, Cisco Secure ACS responds
with an access-accept message containing the access list. The largest access list that can fit in a
single access-accept message is slightly less than 4 KB because some of the message must be other
required attributes.
Cisco Secure ACS sends the downloadable access list in a cisco-av-pair RADIUS VSA. The access
list is formatted as a series of attribute-value pairs that each contain an ACE and are numbered
serially:
ip:inacl#1=ACE-1
ip:inacl#2=ACE-2
.
.
.
ip:inacl#n=ACE-n
An example of an attribute-value pair follows:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
Cisco ASA 5500 Series Configuration Guide using ASDM
33-12
If the adaptive security appliance has previously received the named downloadable access list,
–
communication with Cisco Secure ACS is complete and the adaptive security appliance applies
the access list to the user session. Because the name of the downloadable access list includes
the date and time it was last modified, matching the name sent by Cisco Secure ACS to the name
of an access list previous downloaded means that the adaptive security appliance has the most
recent version of the downloadable access list.
If the adaptive security appliance has not previously received the named downloadable access
–
list, it may have an out-of-date version of the access list or it may not have downloaded any
version of the access list. In either case, the adaptive security appliance issues a RADIUS
authentication request using the downloadable access list name as the username in the RADIUS
request and a null password attribute. In a cisco-av-pair RADIUS VSA, the request also includes
the following attribute-value pairs:
AAA:service=ip-admission
AAA:event=acl-download
In addition, the adaptive security appliance signs the request with the Message-Authenticator
attribute (IETF RADIUS attribute 80).
Chapter 33 Configuring AAA Rules for Network Access
OL-20339-01