Configuring Radius Authorization; Configuring A Radius Server To Send Downloadable Access Control Lists; Configuring A Radius Server To Download Per-User Access Control List Names - Cisco PIX 500 Series Configuration Manual

Configuring Authorization for Network Access

Configuring RADIUS Authorization

When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept
message sent by a RADIUS server. For more information about configuring authentication, see the
"Configuring Authentication for Network Access" section on page
When you configure the security appliance to authenticate users for network access, you are also
implicitly enabling RADIUS authorizations; therefore, this section contains no information about
configuring RADIUS authorization on the security appliance. It does provide information about how the
security appliance handles access list information received from RADIUS servers.
You can configure a RADIUS server to download an access list to the security appliance or an access list
name at the time of authentication. The user is authorized to do only what is permitted in the
user-specific access list.
If you have used the access-group command to apply access lists to interfaces, be aware of the following
Note
effects of the per-user-override keyword on authorization by user-specific access lists:
•
•
For more information, see the access-group command entry in the Cisco Security Appliance Command
Reference.
This section includes the following topics:
•
•

Configuring a RADIUS Server to Send Downloadable Access Control Lists

This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes
the following topics:
•
•
•
•
About the Downloadable Access List Feature and Cisco Secure ACS
Downloadable access lists is the most scalable means of using Cisco Secure ACS to provide the
appropriate access lists for each user. It provides the following capabilities:
•
•
Cisco Security Appliance Command Line Configuration Guide
19-10
Without the per-user-override keyword, traffic for a user session must be permitted by both the
interface access list and the user-specific access list.
With the per-user-override keyword, the user-specific access list determines what is permitted.
Configuring a RADIUS Server to Send Downloadable Access Control Lists, page 19-10
Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-14
About the Downloadable Access List Feature and Cisco Secure ACS, page 19-10
Configuring Cisco Secure ACS for Downloadable Access Lists, page 19-12
Configuring Any RADIUS Server for Downloadable Access Lists, page 19-13
Converting Wildcard Netmask Expressions in Downloadable Access Lists, page 19-14
Unlimited access list size—Downloadable access lists are sent using as many RADIUS packets as
required to transport the full access list from Cisco Secure ACS to the security appliance.
Simplified and centralized management of access lists—Downloadable access lists enable you to
write a set of access lists once and apply it to many user or group profiles and distribute it to many
security appliances.
Chapter 19 Applying AAA for Network Access
19-1.
OL-12172-03