Configuring A Radius Server To Download Per-User Access Control List Names - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 19
Applying AAA for Network Access
On the security appliance, the downloaded access list name has the following format:
AAA-user-username
The username argument is the name of the user that is being authenticated.
The downloaded access list on the security appliance consists of the following lines. Notice the order
based on the numbers identified on the RADIUS server.
access-list
access-list
access-list
access-list
access-list
Downloaded access lists have two spaces between the word "access-list" and the name. These spaces
serve to differentiate a downloaded access list from a local access list. In this example, "79AD4A08" is
a hash value generated by the security appliance to help determine when access list definitions have
changed on the RADIUS server.
Converting Wildcard Netmask Expressions in Downloadable Access Lists
If a RADIUS server provides downloadable access lists to Cisco VPN 3000 Series Concentrators as well
as to the security appliance, you may need the security appliance to convert wildcard netmask
expressions to standard netmask expressions. This is because Cisco VPN 3000 Series Concentrators
support wildcard netmask expressions but the security appliance only supports standard netmask
expressions. Configuring the security appliance to convert wildcard netmask expressions helps minimize
the effects of these differences upon how you configure downloadable access lists on your RADIUS
servers. Translation of wildcard netmask expressions means that downloadable access lists written for
Cisco VPN 3000 Series Concentrators can be used by the security appliance without altering the
configuration of the downloadable access lists on the RADIUS server.
You configure access list netmask conversion on a per server basis, using the acl-netmask-convert
command, available in the AAA-server configuration mode. For more information about configuring a
RADIUS server, see
information about the acl-netmask-convert command, see the Cisco Security Appliance Command
Reference.
Configuring a RADIUS Server to Download Per-User Access Control List Names
To download a name for an access list that you already created on the security appliance from the
RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute
number 11) as follows:
filter-id=acl_name
In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface,
Note
omitting filter-id= and entering only acl_name.
For information about making unique per user the filter-id attribute value, see the documentation for your
RADIUS server.
See the
appliance.
OL-10088-01
AAA-user-bcham34-79AD4A08 permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
AAA-user-bcham34-79AD4A08 permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
AAA-user-bcham34-79AD4A08 permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
AAA-user-bcham34-79AD4A08 deny tcp any any
AAA-user-bcham34-79AD4A08 deny udp any any
"Identifying AAA Server Groups and Servers" section on page
"Adding an Extended Access List" section on page 16-5
Configuring Authorization for Network Access
to create an access list on the security
Cisco Security Appliance Command Line Configuration Guide
13-12. For more
19-11
Advertisement
Table of Contents
Troubleshooting
