Cisco ASA 5505 Configuration Manual page 713

Chapter 33 Configuring AAA Rules for Network Access
Converting Wildcard Netmask Expressions in Downloadable Access Lists
If a RADIUS server provides downloadable access lists to Cisco VPN 3000 series concentrators as well
as to the adaptive security appliance, you may need the adaptive security appliance to convert wildcard
netmask expressions to standard netmask expressions. This is because Cisco VPN 3000 series
concentrators support wildcard netmask expressions but the adaptive security appliance only supports
standard netmask expressions. Configuring the adaptive security appliance to convert wildcard netmask
expressions helps minimize the effects of these differences upon how you configure downloadable
access lists on your RADIUS servers. Translation of wildcard netmask expressions means that
downloadable access lists written for Cisco VPN 3000 series concentrators can be used by the adaptive
security appliance without altering the configuration of the downloadable access lists on the RADIUS
server.
You configure access list netmask conversion on a per-server basis when you add a server to a server
group, on the Configuration > Device Management > Users/AAA > AAA Server Groups > AAA Server
Groups area. See the
Configuring a RADIUS Server to Download Per-User Access Control List Names
To download a name for an access list that you already created on the adaptive security appliance (at the
CLI) from the RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute
(attribute number 11) as follows:
filter-id=acl_name
In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface,
Note
omitting filter-id= and entering only acl_name.
For information about making unique per user the filter-id attribute value, see the documentation for your
RADIUS server.
See the Cisco ASA 5500 Series Configuration Guide using the CLI to create an access list on the adaptive
security appliance.
Configuring Accounting for Network Access
The adaptive security appliance can send accounting information to a RADIUS or TACACS+ server
about any TCP or UDP traffic that passes through the adaptive security appliance. If that traffic is also
authenticated, then the AAA server can maintain accounting information by username. If the traffic is
not authenticated, the AAA server can maintain accounting information by IP address. Accounting
information includes when sessions start and stop, username, the number of bytes that pass through the
adaptive security appliance for the session, the service used, and the duration of each session.
To configure accounting, perform the following steps:
Step 1 If you want the adaptive security appliance to provide accounting data per user, you must enable
authentication. For more information, see the
on page
enabling authentication is not necessary and you can continue to the next step.
From the Configuration > Firewall > AAA Rules pane, choose Add > Add Accounting Rule.
Step 2
The Add Accounting Rule dialog box appears.
OL-20339-01
"Adding a Server Group" section on page
33-1. If you want the adaptive security appliance to provide accounting data per IP address,
Configuring Accounting for Network Access
31-8.
"Configuring Authentication for Network Access" section
Cisco ASA 5500 Series Configuration Guide using ASDM
33-15