Cisco ASA Series Cli Configuration Manual page 851
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring AAA Servers and the Local Database
•
RADIUS Authorization Functions
The ASA can use RADIUS servers for user authorization of VPN remote access and firewall
cut-through-proxy sessions using dynamic access lists or access list names per user. To implement
dynamic access lists, you must configure the RADIUS server to support it. When the user authenticates,
the RADIUS server sends a downloadable access list or access list name to the ASA. Access to a given
service is either permitted or denied by the access list. The ASA deletes the access list when the
authentication session expires.
In addition to access lists, the ASA supports many other attributes for authorization and setting of
permissions for VPN remote access and firewall cut-through proxy sessions. For a complete list of
authorization attributes, see the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp16055
08
TACACS+ Server Support
The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
RSA/SDI Server Support
The RSA SecureID servers are also known as SDI servers.
This section includes the following topics:
•
•
•
RSA/SDI Version Support
The ASA supports SDI Versions 5.x, 6.x, and 7.x. SDI uses the concepts of an SDI primary and SDI
replica servers. Each primary and its replicas share a single node secret file. The node secret file has its
name based on the hexadecimal value of the ACE or Server IP address, with .sdi appended.
A version 5.x, 6.x, or 7.x SDI server that you configure on the ASA can be either the primary or any one
of the replicas. See the
about how the SDI agent selects servers to authenticate users.
Two-step Authentication Process
SDI Versions 5.x, 6.x, or 7.x use a two-step process to prevent an intruder from capturing information
from an RSA SecurID authentication request and using it to authenticate to another server. The agent
first sends a lock request to the SecurID server before sending the user authentication request. The server
A list of attributes is available at the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1
605508
RSA/SDI Version Support, page 1-5
Two-step Authentication Process, page 1-5
RSA/SDI Primary and Replica Servers, page 1-6
"RSA/SDI Primary and Replica Servers" section on page 1-6
Information About AAA
Cisco ASA Series CLI Configuration Guide
for information
1-5
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
