33-11
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 33 Configuring AAA Rules for Network Access
Configuring Authorization for Network Access
When you configure the adaptive security appliance to authenticate users for network access, you are
also implicitly enabling RADIUS authorizations; therefore, this section contains no information about
configuring RADIUS authorization on the adaptive security appliance. It does provide information about
how the adaptive security appliance handles access list information received from RADIUS servers.
You can configure a RADIUS server to download an access list to the adaptive security appliance or an
access list name at the time of authentication. The user is authorized to do only what is permitted in the
user-specific access list.
Note If you have enabled the Per User Override Setting (see the Configuration > Firewall > Access Rules >
Advanced > Access Rules Advanced Options dialog box), be aware of the following effects of this
feature on authorization by user-specific access lists:
• Without the per-user-override feature, traffic for a user session must be permitted by both the
interface access list and the user-specific access list.
• With the per-user-override feature, the user-specific access list determines what is permitted.
This section includes the following topics:
• Configuring a RADIUS Server to Send Downloadable Access Control Lists, page 33-11
• Configuring a RADIUS Server to Download Per-User Access Control List Names, page 33-15
Configuring a RADIUS Server to Send Downloadable Access Control Lists
This section describes how to configure Cisco Secure ACS or a third-party RADIUS server and includes
the following topics:
• About the Downloadable Access List Feature and Cisco Secure ACS, page 33-11
• Configuring Cisco Secure ACS for Downloadable Access Lists, page 33-13
• Configuring Any RADIUS Server for Downloadable Access Lists, page 33-14
• Converting Wildcard Netmask Expressions in Downloadable Access Lists, page 33-15
About the Downloadable Access List Feature and Cisco Secure ACS
Downloadable access lists is the most scalable means of using Cisco Secure ACS to provide the
appropriate access lists for each user. It provides the following capabilities:
• Unlimited access list size—Downloadable access lists are sent using as many RADIUS packets as
required to transport the full access list from Cisco Secure ACS to the adaptive security appliance.
• Simplified and centralized management of access lists—Downloadable access lists enable you to
write a set of access lists once and apply it to many user or group profiles and distribute it to many
adaptive security appliances.
This approach is most useful when you have very large access list sets that you want to apply to more
than one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and
group management makes it useful for access lists of any size.
The adaptive security appliance receives downloadable access lists from Cisco Secure ACS using the
following process:
1. The adaptive security appliance sends a RADIUS authentication request packet for the user session.
To Next Page
Loading...
Need help?
General
