Configuring Radius Authorization - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 19
Applying AAA for Network Access
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
Configuring RADIUS Authorization
When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept
message sent by a RADIUS server. For more information about configuring authentication, see the
"Configuring Authentication for Network Access" section on page
When you configure the security appliance to authenticate users for network access, you are also
implicitly enabling RADIUS authorizations; therefore, this section contains no information about
configuring RADIUS authorization on the security appliance. It does provide information about how the
security appliance handles access list information received from RADIUS servers.
You can configure a RADIUS server to download an access list to the security appliance or an access list
name at the time of authentication. The user is authorized to do only what is permitted in the
user-specific access list.
Note
If you have used the access-group command to apply access lists to interfaces, be aware of the following
effects of the per-user-override keyword on authorization by user-specific access lists:
•
•
For more information, see the access-group command entry in the Cisco Security Appliance Command
Reference.
This section includes the following topics:
•
•
Configuring a RADIUS Server to Send Downloadable Access Control Lists
This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes
the following topics:
•
•
•
•
OL-10088-01
Without the per-user-override keyword, traffic for a user session must be permitted by both the
interface access list and the user-specific access list.
With the per-user-override keyword, the user-specific access list determines what is permitted.
Configuring a RADIUS Server to Send Downloadable Access Control Lists, page 19-7
Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-11
About the Downloadable Access List Feature and Cisco Secure ACS, page 19-8
Configuring Cisco Secure ACS for Downloadable Access Lists, page 19-9
Configuring Any RADIUS Server for Downloadable Access Lists, page 19-10
Converting Wildcard Netmask Expressions in Downloadable Access Lists, page 19-11
Configuring Authorization for Network Access
19-1.
Cisco Security Appliance Command Line Configuration Guide
19-7
Advertisement
Table of Contents
Troubleshooting
