B-30
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Appendix B Configuring an External Server for Authorization and Authentication
Configuring an External RADIUS Server
Configuring an External RADIUS Server
This section presents an overview of the RADIUS configuration procedure and defines the Cisco
RADIUS attributes. It includes the following topics:
• Reviewing the RADIUS Configuration Procedure, page B-30
• Security Appliance RADIUS Authorization Attributes, page B-30
• Security Appliance IETF RADIUS Authorization Attributes, page B-38
Reviewing the RADIUS Configuration Procedure
This section describes the RADIUS configuration steps required to support authentication and
authorization of the adaptive security appliance users. Follow these steps to set up the RADIUS server
to inter operate with the adaptive security appliance.
Step 1 Load the adaptive security appliance attributes into the RADIUS server. The method you use to load the
attributes depends on which type of RADIUS server you are using:
• If you are using Cisco ACS: the server already has these attributes integrated. You can skip this step.
• If you are using a FUNK RADIUS server: Cisco supplies a dictionary file that contains all the
adaptive security appliance attributes. Obtain this dictionary file,
cisco3k.dct, from Software
Center on CCO or from the adaptive security appliance CD-ROM. Load the dictionary file on your
server.
• For other vendors’ RADIUS servers (for example, Microsoft Internet Authentication Service): you
must manually define each adaptive security appliance attribute. To define an attribute, use the
attribute name or number, type, value, and vendor code (3076). For a list of adaptive security
appliance RADIUS authorization attributes and values, see Table B-7.
Step 2 Set up the users or groups with the permissions and attributes to send during IPSec or SSL tunnel
establishment.
Security Appliance RADIUS Authorization Attributes
Authorization refers to the process of enforcing permissions or attributes. A RADIUS server defined as
an authentication server enforces permissions or attributes if they are configured.
Table B-7 lists all the possible adaptive security appliance supported RADIUS attributes that can be used
for user authorization.
Note RADIUS attribute names do not contain the cVPN3000 prefix. Cisco Secure ACS 4.x supports this new
nomenclature, but attribute names in pre-4.0 ACS releases still include the cVPN3000 prefix. The
appliances enforce the RADIUS attributes based on attribute numeric ID, not attribute name. LDAP
attributes are enforced by their name, not by the ID.
To Next Page
Loading...
Need help?
General
